Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Automatically find and build event types

The following utilities automatically locate and create event types to help you determine whether you have any potentially useful event types in your data:

  • Find event types: The findtypes search command analyzes an event set and identifies patterns in your events that can be turned into useful event types.
  • Build event types: The Build Event Type utility creates event types based on individual events. This utility also enables you to assign specific colors to event types. For example, if you say that a "sendmail error" event type is red, then the next time you run a search that returns events that fit that event type, they'll be easy to spot, because they'll show up as red in the event listing.

Use the findtypes command to find event types in your search data

To see the event types in the data that a search returns, add the findtypes command to the end of the search:

...| findtypes

Searches that use findtypes return a breakdown of the most common groups of events found in the search results. They are:

  • ordered in terms of "coverage" (frequency). This helps you easily identify kinds of events that are subsets of larger event groupings.
  • coupled with searches that can be used as the basis for event types that will help you locate similar events.

6 4 0 event type findtypes.png

By default, findtypes returns the top 10 potential event types found in the sample, in terms of the number of events that match each kind of event discovered. You can increase this number by adding a max argument. For example, findtypes max=30 returns the top 30 potential event types in an event sample.

The findtypes command also indicates whether or not the event groupings that it discovers match other event types.

Note: To return these results, the findtypes command analyzes up to 5000 events. For a more efficient--but potentially less accurate--search, you can lower this number using the head command:

...| head 1000 | findtypes

Use the Build Event Type utility to create event types

The Build Event Type utility or "Event Type Builder" leads you through the process of creating an event type that is based on an event in your search results.

  1. Run a search that returns events that you want to base an event type on.
  2. Identify an event in the results returned by the search that could be an event type and expand it.
  3. Click Event Actions and select Build Event Type.

    SelectBuildEventType.png

    As you use the Build Event Type utility, you design a search that returns a specific set of results. This search string appears under Generated event type at the top of the utility interface.

    The utility also displays a list of sample events. This list updates dynamically as you refine the event type search string.

  4. In the Event type features sidebar, select field-value pairings that narrow down the event type search.

    As you make selections the Generated event type search updates to include them. The list of sample events also updates to illustrate the events that match the event type that you are designing.

  5. (Optional) At any time you can edit the event type search directly by clicking Edit.
  6. (Optional) When you think your search might be a useful event type, test it by clicking Test.

    The search runs in a separate window.

  7. When you have a search that returns the correct set of events, click Save to open the Save event type dialog.

    SaveEventTypeDialog.png

  8. Give the event type a Name.
  9. (Optional) Give the event type a Style.

    Style is the same as Color in other event type definition workflows. This causes a band of color to appear at the start of the listing for any event that fits this event type. For example, this event matches an event type that has a Style of Purple.
    6 4 0 event type coloring.png
    You can change the color of an event type (or remove its color entirely) by editing it in Settings.

  10. (Optional) Give the event type a Priority.

    Priority affects the display of events that match two or more event types. 1 is the best Priority and 10 is the worst.

    Priority determines the order of the event type listing in the expanded event. It also determines which color displays for the event type if two or more of the event types matching the event have a defined Color value.

    See About event type priorities.

  11. Click Save to save the event type.
Last modified on 23 May, 2017
About event type priorities   Configure event types in eventtypes.conf

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters