Configure event types in eventtypes.conf
You can add new event types and update existing event types by configuring eventtypes.conf. There are a few default event types defined in
$SPLUNK_HOME/etc/system/default/eventtypes.conf. The Splunk software adds any event types you create through Splunk Web to
<app> is your current app context.
Important event type definition restrictions
You cannot base an event type on a search that:
- Includes a pipe operator after a simple search.
- Includes a subsearch.
- Is defined by a simple search that uses the
savedsearchcommand to reference a report name. For example, if you have a report named
failed_login_search, you should not use this search to define the event type:
| savedsearch failed_login_search. In this case you should instead use the search string that defines
failed_login_searchas the definition of the event type.
This last point is more of a best practice than a strict limitation. You want to avoid situations where the search string underneath
failed_login_search is modified by another user at a future date, possibly in a way that breaks the event type. You have more control over the ongoing validity of the event type if you use actual search strings in its definition.
Configure event types
When you run a search, you can save that search as an event type. Event types usually represent searches that return a specific type of event, or that return a useful variety of events.
- About event types for more information on event types.
- About event type priorities for information on event type priorities.
- Event type syntax for information on the syntax for event type configuration.
- Make changes to event types in
$SPLUNK_HOME/etc/system/local/or your own custom app directory in
$SPLUNK_HOME/etc/system/README/eventtypes.conf.exampleas an example, or create your own
- (Optional) Configure a search term for this event type.
- (Optional) Enter a human-readable description of the event type.
- (Optional) Give the event type a priority.
- (Optional) Give the event type a color.
Event type syntax
Use the following format when you define an event type in
[$EVENTTYPE] disabled = <1|0> search = <string> description = <string> priority = <integer> color = <string>
$EVENTTYPE is the header and the name of your event type. You can have any number of event types, each represented by a stanza and any number of the following attribute-value pairs.
Note: If the name of the event type includes field names surrounded by the percent character (for example,
%$FIELD%) then the value of
$FIELD is substituted at search time into the event type name for that event. For example, an event type with the header
[cisco-%code%] that has
code=432 becomes labeled
||Toggle event type on or off. Set to 1 to disable the event type.|
||Search terms for this event type. For example, error OR warn.|
||Optional human-readable description of the event type.|
||Specifies the order in which matching event types are displayed for an event. 1 is the highest, and 10 is the lowest.|
||Color for this event type. The supported colors are: none, et_blue, et_green, et_magenta, et_orange, et_purple, et_red, et_sky, et_teal, et_yellow.|
Note: You can tag
eventtype field values the same way you tag any other field-value combination. See the
tags.conf spec file for more information.
Here are two event types; one is called
web, and the other is called
[web] search = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi [fatal] search = FATAL
Disable event types
Disable an event type by adding
disabled = 1 to the event type stanza
[$EVENTTYPE] disabled = 1
$EVENTTYPE is the name of the event type you wish to disable.
So if you want to disable the
web event type, add the following entry to its stanza:
[web] disabled = 1
Automatically find and build event types
Configure event type templates
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209 (latest FedRAMP release), 8.2.2106, 8.2.2109, 8.2.2107, 8.2.2111, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208