Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Define and maintain event types in Splunk Web

An event type represents a search that returns a specific type of event or a useful collection of events. A single event can match multiple event types.

When you create an event type through Splunk Web the Splunk platform adds its definition to eventtypes.conf in $SPLUNK_HOME/etc/users/<your-username>/<app>/local/, where <app> is your current app context. If you change the permissions on the event type to make it available to all users (either in the app, or globally to all apps), the Splunk platform moves the event type to $SPLUNK_HOME/etc/apps/<App>/local/.

Important event type definition restrictions

You cannot base an event type on a search that:

  • Includes a pipe operator after a simple search.
  • Includes a subsearch.
  • Is defined by a simple search that uses the savedsearch command to reference a report name. For example, if you have a report named failed_login_search, you should not use this search to define the event type: | savedsearch failed_login_search. In this case you should instead use the search string that defines failed_login_search as the definition of the event type.

This last point is more of a best practice than a strict limitation. If you define your event type as an existing saved search, you are setting up an event type that can end up returning invalid results when another user changes the search string that defines the existing saved search. You have more control over the ongoing validity of an event type if you use actual search strings in its definition.

Save a search you have just run as an event type

When you run a search, you can save that search as an event type. Event types usually represent searches that return a specific type of event, or that return a useful variety of events.

1. In the Search view, run a search.

2. Click Save As and select Event Type.

The Save As Event Type dialog appears.

3. Give the event type a Name.

4. (Optional) Associate one or more comma-separated tags to the event type.

You can apply the same tag to event types that produce similar results. A search that is just on that tag returns the set of events that collectively belong to those event types.

5. Click Save to save the new event type.

You can access the list of event types that you and other users have created at Settings > Event types.

You can now use your new event type in searches. If you named your event type foo, you'd use it in a search like this:

eventtype=foo

Automatically find and build event types

Unsure whether you have any potentially useful event types in your IT data? Splunk Enterprise provides utilities that dynamically and intelligently locate and create useful event types:

  • Find event types: The findtypes search command analyzes a given set of events and identifies common patterns that could be turned into useful event types.
  • Build event types: The Build Event Type utility enables you to dynamically create event types based on events returned by searches. This utility also enables you to assign specific colors to event types. For example, if you say that a "sendmail error" event type is red, then the next time you run a search that returns events that fit that event type, they'll be easy to spot, because they'll show up as red in the event listing.

Find event types

To use the event type finder, add this to the end of your search:

...| findtypes

Searches that use the findtypes command return a breakdown of the most common groups of events found in the search results. They are:

  • ordered in terms of "coverage" (frequency). This helps you easily identify kinds of events that are subsets of larger event groupings.
  • coupled with searches that can be used as the basis for event types that will help you locate similar events.

FieldtypesSearchResults.png

By default, findtypes returns the top 10 potential event types found in the sample, in terms of the number of events that match each kind of event discovered. You can increase this number by adding a max argument: findtypes max=30

Splunk Enterprise also indicates whether or not the event groupings discovered with findtypes have already been associated with other event types.

Note: The findtypes command analyzes 5000 events at most to return these results. You can lower this number using the head command for a more efficient search:

...| head 1000 | findtypes

Build event types

If you find an event in your search results that you'd like to base an event type on, open the dropdown event menu (find the down arrow next to the event timestamp) and click Build event type.

SelectBuildEventType.png

Splunk Enterprise takes you to the Build Event Type utility (often referred to as the "Event Type Builder"). You can use this utility to design a search that returns a select set of events, and then create an event type based on that search.

The Build Event Type utility finds a set of sample events that are similar to the one you selected from your search results. In the Event type features sidebar, you'll find possible field/value pairings that you can use to narrow down the event type search further.

The Build Event Type utility also displays a search string under Generated event type at the top of the page. This is the search that the event type you're building will be based upon. As you select other field/value pairs in the Event type features sidebar, the Generated event type updates to include those selections. The list of sample events updates as well, to reflect the kinds of events that the newly modified event type search would return.

If you want to edit the event type search directly, click Edit. This brings up the Edit Event Type dialog, which you can use to edit the search string.

Test potential searches before saving them as event types

When you build a search that you think might be a useful event type, test it. Click Test to see the search run in a separate window.

Save a tested search as an event type

If you test a search and it looks like it's returning the correct set of events, you can click Save to save it as an event type. The Save Event Type dialog appears.

SaveEventTypeDialog.png

Enter a name for the event type. Then, you can optionally use the Style list to associate a color for the event type. After you save, any event that matches the event type will appear in search results in that color. For example, say you create an event type called sendmail_bounce and save it with a Style of red. Then, when you run a search that returns events that match this event type, those events will be easy to spot, because they'll be colored red.

You can use the Priority list to help Splunk Enterprise handle situations where events match more than one event type with a Style setting. For example, say you have two event types: one with a High priority and a red style, and one with an Average priority and a teal style. If an event in your results matches both of these event types, the High priority event type trumps the Average priority event type, and the event appears red in your search results.

Add and maintain event types in Splunk Web

The Event Types page in Splunk Web lets you view and maintain details of the event types that you have created or which you have permission to edit. You can also add new event types through the Event Types page. Event types displayed on the Event Types page may be available globally (system-wide) or they may apply to specific Apps.

Adding an event type in Splunk Web

To add an event type in Splunk Web, navigate to the Event Types page and click New. Splunk Enterprise takes you to the Add New event types page.

Add-new-eventtype.png

From this page you enter the new event type's Destination App, Name, and the Search string that ultimately defines the event type (see "Save a search as an event", above).

Note: All event types are initially created for a specific App. To make a particular event type available to all users on a global basis, you have to locate the event type on the Event Types page, click its Permissions link, and change the This app only selection to All apps. For more information about setting permissions for event types (and other knowledge object types), see "Manage knowledge object permissions," in this manual.

You can optionally include Tags for the event type. For more information about tagging event types and other kinds of Splunk Enterprise knowledge, see "About tags and aliases" in this manual.

You can also optionally select a Priority for the event type, where 1 is the highest priority and 10 is the lowest. The Priority setting is important for common situations where you have events that fit two or more event types. When the event turns up in search results, Splunk Enterprise displays the event types associated with the event in a specific order. You use the Priority setting to ensure that certain event types take precedence over others in this display order.

If you have a number of overlapping event types, or event types that are subsets of larger ones, you may want to give the precisely focused event types a higher priority. For example, you could easily have a set of events that are part of a wide-ranging system_error event type. Within that large set of events, you could have events that also belong to more precisely focused event types like critical_disc_error and bad_external_resource_error.

In a situation like this, you could give the system_error event type a Priority of 10, while giving the other two error codes Priority values in the 1 to 5 range. This way, when events that match both system_error and critical_disc_error appear in search results, the critical_disc_error event type is always listed ahead of the system_error event type.

Maintaining event types in Splunk Web

To update the details of an event type, locate it in the list on the Event Types page (Settings > Event Types), and click its name. Splunk Enterprise takes you to the details page for the event type, where you can edit the Search string, Tags, and Priority for the event type, if you have the permissions to do so. You can also update permissions for event types and delete event types through the Event Types page, if you have edit permissions for them.

PREVIOUS
About event types
  NEXT
Configure event types in eventtypes.conf

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters