Splunk Cloud Platform

Search Reference

typer

Description

Creates an eventtype field for search results that match known event types. You must create event types to use this command. See About event types in the Knowledge Manager Manual.

Syntax

The required syntax is in bold.

typer
[eventtypes=<string>]
[maxlen=<unsigned_integer>]

Required arguments

None.

Optional arguments

eventtypes
Syntax: eventtypes=<string>
Description: Provide a comma-separated list of event types to filter the set of event types that typer can return in the eventtype field. The eventtypes argument filters out all event types except the valid event types in its list. If all of the event types listed for eventtypes are invalid, or if no event types are listed, typer is disabled and will not return any event types. The eventtypes argument accepts wildcards.
Default: No default (by default typer returns all available event types)
maxlen
Syntax: maxlen=<unsigned_integer>
Description: By default, the typer command looks at the first 10000 characters of an event to determine its event type. Use maxlen to override this default. For example, maxlen=300 restricts typer to determining event types from the first 300 characters of events.

Usage

The typer command is a distributable streaming command. See Command types.

Changing the default for maxlen

Users with file system access, such as system administrators, can change the default setting for maxlen.

Splunk Cloud Platform
To change the maxlen default setting, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support.
Splunk Enterprise
To change the maxlen default setting, follow these steps.
Prerequisites
  • Only users with file system access, such as system administrators, can change the maxlen default setting using configuration files.
  • Review the steps in How to edit a configuration file in the Splunk Enterprise Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make changes to the files in the local directory.

Steps
  1. Open or create a local limits.conf file for the Search app at $SPLUNK_HOME/etc/apps/search/local.
  2. Under the [typer] stanza, specify the default for the maxlen setting.

Examples

Example 1:

Returns a field called eventtype which lists the names of the event types associated with the search results.

... | typer

See also

Commands
typelearner
Related information
About event types in the Knowledge Manager Manual
Last modified on 09 November, 2022
typelearner   union

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2406, 8.2.2112, 8.2.2202, 9.0.2205, 8.2.2201, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters