Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. Click here for the latest version.Download topic as PDF
The following are the spec and example files for
# Version 7.3.1 # This file contains possible attributes and values you can use to configure # event discovery through the search command "typelearner." # # There is an eventdiscoverer.conf in $SPLUNK_HOME/etc/system/default/. To set # custom configurations, place an eventdiscoverer.conf in # $SPLUNK_HOME/etc/system/local/. For examples, see # eventdiscoverer.conf.example. You must restart Splunk to enable # configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
# Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top of # the file. # * Each conf file should have at most one default stanza. If there are # multiple default stanzas, attributes are combined. In the case of # multiple definitions of the same attribute, the last definition in the # file wins. # * If an attribute is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence. ignored_keywords = <comma-separated list of terms> * If you find that event types have terms you do not want considered (for example, "mylaptopname"), add that term to this list. * Terms in this list are never considered for defining an event type. * For more details, refer to $SPLUNK_HOME/etc/system/default/eventdiscoverer.conf). * Default = "sun, mon, tue,..." ignored_fields = <comma-separated list of fields> * Similar to ignored_keywords, except these are fields as defined in Splunk instead of terms. * Defaults include time-related fields that would not be useful for defining an event type. important_keywords = <comma-separated list of terms> * When there are multiple possible phrases for generating an eventtype search, those phrases with important_keyword terms are favored. For example, "fatal error" would be preferred over "last message repeated", as "fatal" is an important keyword. * Default = "abort, abstract, accept,..." * For the full default setting, see $SPLUNK_HOME/etc/system/default/eventdiscoverer.conf.
# Version 7.3.1 # # This is an example eventdiscoverer.conf. These settings are used to control # the discovery of common eventtypes used by the typelearner search command. # # To use one or more of these configurations, copy the configuration block into # eventdiscoverer.conf in $SPLUNK_HOME/etc/system/local/. You must restart # Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # Terms in this list are never considered for defining an eventtype. ignored_keywords = foo, bar, application, kate, charlie # Fields in this list are never considered for defining an eventtype. ignored_fields = pid, others, directory
Last modified on 29 July, 2019
This documentation applies to the following versions of Splunk® Enterprise: 7.3.1
Feedback submitted, thanks!