Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Define and maintain event types in Splunk Web

An event type represents a search that returns a specific type of event or a useful collection of events. Every event that can be returned by that search gets an association with that event type. For example, say you have this search:

sourcetype=access_combined status=200 action=purchase

If you save that search as an event type named successful_purchase, any event that could be returned by that search gets eventtype=successful_purchase added to it at search time. This happens even if you are searching for something completely different.

And later, if you want to build a search that works with events that match that event type, include eventtype=access_combined in the search string.

A single event can match multiple event types. When an event matches two or more event types, eventtype acts as a multivalue field.

Important event type definition restrictions

You cannot base an event type on a search that:

  • Includes a pipe operator after a simple search.
  • Includes a subsearch.
  • Is defined by a simple search that uses the savedsearch command to reference a report name. For example, if you have a report named failed_login_search, you should not use this search to define the event type: | savedsearch failed_login_search. In this case you should instead use the search string that defines failed_login_search as the definition of the event type.

This last point is more of a best practice than a strict limitation. If you define your event type as an existing saved search, you are setting up an event type that can end up returning invalid results when another user changes the search string that defines the existing saved search. You have more control over the ongoing validity of an event type if you use actual search strings in its definition.

Save a search you have just run as an event type

When you run a search, you can save that search as an event type. Event types usually represent searches that return a specific type of event, or that return a useful variety of events.

  1. In the Search view, run a search.
  2. Click Save As and select Event Type.
  3. Give the event type a unique Name.
  4. (Optional) Add one or more comma-separated Tag(s).

    You can apply the same tag to event types that produce similar results. A search that is just on that tag returns the set of events that collectively belong to those event types.

  5. (Optional) Select a Color.

    This causes a band of color to appear at the start of the listing for any event that fits this event type. For example, this event matches an event type that has a Color of Purple.
    6 4 0 event type coloring.png
    You can change the color of an event type (or remove its color entirely) by editing it in Settings.

  6. (Optional) Give the event type a Priority.

    Priority affects the display of events that match two or more event types. 1 is the best Priority and 10 is the worst.

    Priority determines the order of the event type listing in the expanded event. It also determines which color displays for the event type if two or more of the event types matching the event have a defined Color value.
    See "About event type priorities" in this topic.

  7. Click Save to save the new event type.

    You can access the list of event types that you and other users have created at Settings > Event types.

When you create an event type, the event type definition is added to eventtypes.conf in $SPLUNK_HOME/etc/users/<your-username>/<app>/local/, where <app> is your current app context. If you change the permissions on the event type to make it available to all users (either in the app, or globally to all apps), the Splunk platform moves the event type to $SPLUNK_HOME/etc/apps/<App>/local/.

Any event type that you create with this method also appears on the Event Types listing page in Settings. This is where you go if you need to update the event type. For more information, see The Event Types page in Settings, in this topic.

The Event Types page in Settings

The Event Types page in Settings displays a list of the event types that you have permission to view or edit. You can use the Event Types page to create new event types and maintain existing event types.

Add an event type in Settings

You can create a new event type through the Event Types page.

Prerequisites

Steps for adding a new event type in Settings

  1. Navigate to Settings > Event Types.
  2. Click New.

    6 4 0 settings event types add new.png

  3. (Optional) Change the Destination App value to the correct app for the event type, if it is not your current app context.
  4. Provide a unique Name for the event type.
  5. Enter the Search String for the event type.

    This should be a search that consistently returns a specific kind of event.

  6. (Optional) Add one or more comma-separated Tag(s).

    You can apply the same tag to event types that produce similar results. A search that is just on that tag returns the set of events that collectively belong to those event types.

  7. (Optional) Select a Color.

    This causes a band of color to appear at the start of the listing for any event that fits this event type.

  8. (Optional) Give the event type a Priority.

    Priority affects the display of events that match two or more event types. 1 is the best Priority and 10 is the worst.

    Priority determines the order of the event type listing in the expanded event. It also determines which color displays for the event type if two or more of the event types matching the event have a defined Color value.
    For more information see "About event type priorities" in this topic.

  9. Click Save to save the event type.

    Note: All event types are initially created for a specific App. To make a particular event type available to all users on a global basis, you have to give all roles read or write access to the app and make it available to all apps. For more information about setting permissions for event types (and other knowledge object types), see "Manage knowledge object permissions," in this manual.

    Update an event type in Settings

    You can update the definition of any event type that you have created or which you have permissions to edit.

    1. Navigate to Settings > Event Types.
    2. Locate the event type that you would like to update in the Event Types listing page and click its name.
    3. Update the Search String, Tag(s), Color, and Priority of the event type as necessary.
    4. Click Save to save your changes.

    About event type priorities

    The Priority value that you select for an event type affects the display of events that match that event type, when those events also match other event types.

    Priority affects the event type listing order in expanded events

    Event type matching takes place at search time. When you run a search and an event returned by that search matches an event type, Splunk software adds the corresponding eventtype field/value pair to it, where the value is the event type name.

    You can see the event types that have been added to an event when you review your search results. Expand the event and check to see if the eventtype field is listed. If you see it, the event matches at least one event type.

    If the event matches two or more event types, eventtype becomes a multivalued field whose values are ordered alphabetically, with the exception of event types that have a Priority setting. Event types with a Priority setting are listed above the event types without one, and they are ordered according to their Priority value.

    If you have a number of overlapping event types, or event types that are subsets of larger ones, you may want to give the precisely focused event types a better priority. For example, you could easily have a set of events that are part of a wide-ranging all_system_errors event type. Within that large set of events, you could have events that also belong to more precisely focused event types like critical_disc_error and bad_external_resource_error.

    Here is an example of an event that matches the all_system_errors and critical_disc_error event types.

    6 4 0 event type priority.png

    In this example, the critical_disk_error event type has a priority of 3 while the all_system_errors event type has a priority of 7. 3 is a better priority value than 7, so critical_disk_error appears first in the list order.

    Priority determines which event type color displays for an event

    Only one event type color can be displayed per event. When an event matches multiple event types, and two or more of those event types have a Color value, the Color for the event type with the best Priority value is displayed.

    Following from the previous example, here is an example of two events with event type coloration.

    6 4 0 event type color dominance.png

    Both events match the all_system_errors event type, which has a Color value of Orange. Events that have all_system_errors as the dominant event type display with orange event type coloration. One of the events also matches the critical_disk_error event type, which has a better Priority than all_system_errors. The critical_disk_error event type has Color set to Purple, so the event that matches it has purple event type coloration instead of orange.
PREVIOUS
About event types
  NEXT
Automatically find and build event types

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters