Automatically find and build event types
The following utilities automatically locate and create event types to help you determine whether you have any potentially useful event types in your data:
- Find event types: The
findtypessearch command analyzes an event set and identifies patterns in your events that can be turned into useful event types.
- Build event types: The Build Event Type utility creates event types based on individual events. This utility also enables you to assign specific colors to event types. For example, if you say that a "sendmail error" event type is red, then the next time you run a search that returns events that fit that event type, they'll be easy to spot, because they'll show up as red in the event listing.
Use the findtypes command to find event types in your search data
To see the event types in the data that a search returns, add the
findtypes command to the end of the search:
Searches that use
findtypes return a breakdown of the most common groups of events found in the search results. They are:
- ordered in terms of "coverage" (frequency). This helps you easily identify kinds of events that are subsets of larger event groupings.
- coupled with searches that can be used as the basis for event types that will help you locate similar events.
findtypes returns the top 10 potential event types found in the sample, in terms of the number of events that match each kind of event discovered. You can increase this number by adding a
max argument. For example,
findtypes max=30 returns the top 30 potential event types in an event sample.
findtypes command also indicates whether or not the event groupings that it discovers match other event types.
Note: To return these results, the
findtypes command analyzes up to 5000 events. For a more efficient--but potentially less accurate--search, you can lower this number using the
...| head 1000 | findtypes
Use the Build Event Type utility to create event types
The Build Event Type utility or "Event Type Builder" leads you through the process of creating an event type that is based on an event in your search results.
- Run a search that returns events that you want to base an event type on.
- Identify an event in the results returned by the search that could be an event type and expand it.
- Click Event Actions and select Build Event Type.
As you use the Build Event Type utility, you design a search that returns a specific set of results. This search string appears under Generated event type at the top of the utility interface.
The utility also displays a list of sample events. This list updates dynamically as you refine the event type search string.
- In the Event type features sidebar, select field-value pairings that narrow down the event type search.
As you make selections the Generated event type search updates to include them. The list of sample events also updates to illustrate the events that match the event type that you are designing.
- (Optional) At any time you can edit the event type search directly by clicking Edit.
- (Optional) When you think your search might be a useful event type, test it by clicking Test.
The search runs in a separate window.
- When you have a search that returns the correct set of events, click Save to open the Save event type dialog.
- Give the event type a Name.
- (Optional) Give the event type a Style.
Style is the same as Color in other event type definition workflows. This causes a band of color to appear at the start of the listing for any event that fits this event type. For example, this event matches an event type that has a Style of Purple.
You can change the color of an event type (or remove its color entirely) by editing it in Settings.
- (Optional) Give the event type a Priority.
Priority affects the display of events that match two or more event types. 1 is the best Priority and 10 is the worst.
Priority determines the order of the event type listing in the expanded event. It also determines which color displays for the event type if two or more of the event types matching the event have a defined Color value.
See About event type priorities.
- Click Save to save the event type.
About event type priorities
Configure event types in eventtypes.conf
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2303, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release)
Feedback submitted, thanks!