Configure event type templates
Event type templates create event types at search time. If you have Splunk Enterprise, you define event type templates in eventtypes.conf. Edit
$SPLUNK_HOME/etc/system/local/, or your own custom app directory in
For more information on configuration files in general, see "About configuration files" in the Admin manual.
Event type template configuration
Event type templates use a field name surrounded by percent characters to create event types at search time where the
%$FIELD% value is substituted into the name of the event type.
So if the search query in the template returns an event where
%$FIELD%=bar, an event type titled
$NAME-bar is created for that event.
[cisco-%code%] search = cisco
If a search on "cisco" returns an event that has
code=432, Splunk Enterprise creates an event type titled "cisco-432".
Configure event types in eventtypes.conf
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1