typer
Description
Creates an eventtype
field for search results that match known event types. You must create event types to use this command. See About event types in the Knowledge Manager Manual.
Syntax
The required syntax is in bold.
- typer
- [eventtypes=<string>]
- [maxlen=<unsigned_integer>]
Required arguments
None.
Optional arguments
- eventtypes
- Syntax: eventtypes=<string>
- Description: Provide a comma-separated list of event types to filter the set of event types that
typer
can return in theeventtype
field. Theeventtypes
argument filters out all event types except the valid event types in its list. If all of the event types listed foreventtypes
are invalid, or if no event types are listed,typer
is disabled and will not return any event types. Theeventtypes
argument accepts wildcards. - Default: No default (by default
typer
returns all available event types)
- maxlen
- Syntax: maxlen=<unsigned_integer>
- Description: By default, the
typer
command looks at the first 10000 characters of an event to determine its event type. Usemaxlen
to override this default. For example,maxlen=300
restrictstyper
to determining event types from the first 300 characters of events.
Usage
The typer
command is a distributable streaming command. See Command types.
Changing the default for maxlen
Users with file system access, such as system administrators, can change the default setting for maxlen
.
- Splunk Cloud Platform
- To change the
maxlen
default setting, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
- Splunk Enterprise
- To change the
maxlen
default setting, follow these steps.
- Prerequisites
- Only users with file system access, such as system administrators, can change the
maxlen
default setting using configuration files. - Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.
- Only users with file system access, such as system administrators, can change the
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.
- Steps
- Open or create a local limits.conf file for the Search app at
$SPLUNK_HOME/etc/apps/search/local
. - Under the [typer] stanza, specify the default for the
maxlen
setting.
Examples
Example 1:
Returns a field called eventtype
which lists the names of the event types associated with the search results.
... | typer
See also
- Commands
- typelearner
- Related information
- About event types in the Knowledge Manager Manual
typelearner | union |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.2.2406, 8.2.2112, 8.2.2202, 9.0.2205, 8.2.2201, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release)
Feedback submitted, thanks!