Splunk Cloud Platform

Knowledge Manager Manual

Configure event type templates

Event type templates create event types at search time. If you have Splunk Enterprise, you define event type templates in eventtypes.conf. Edit eventtypes.conf in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/.

For more information on configuration files in general, see "About configuration files" in the Admin manual.

Event type template configuration

Event type templates use a field name surrounded by percent characters to create event types at search time where the %$FIELD% value is substituted into the name of the event type.

[$NAME-%$FIELD%]
$SEARCH_QUERY

So if the search query in the template returns an event where %$FIELD%=bar, an event type titled $NAME-bar is created for that event.

Example

[cisco-%code%]
search = cisco

If a search on "cisco" returns an event that has code=432, Splunk Enterprise creates an event type titled "cisco-432".

Last modified on 23 May, 2017
Configure event types in eventtypes.conf   About transactions

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2203, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters