Configure event types in eventtypes.conf
You can add new event types and update existing event types by configuring eventtypes.conf. There are a few default event types defined in $SPLUNK_HOME/etc/system/default/eventtypes.conf
. The Splunk software adds any event types you create through Splunk Web to $SPLUNK_HOME/etc/users/<your-username>/<app>/local/eventtypes.conf
, where <app>
is your current app context.
Important event type definition restrictions
You cannot base an event type on a search that:
- Includes a pipe operator after a simple search.
- Includes a subsearch.
- Is defined by a simple search that uses the
savedsearch
command to reference a report name. For example, if you have a report namedfailed_login_search
, you should not use this search to define the event type:| savedsearch failed_login_search
. In this case you should instead use the search string that definesfailed_login_search
as the definition of the event type.
This last point is more of a best practice than a strict limitation. You want to avoid situations where the search string underneath failed_login_search
is modified by another user at a future date, possibly in a way that breaks the event type. You have more control over the ongoing validity of the event type if you use actual search strings in its definition.
Configure event types
When you run a search, you can save that search as an event type. Event types usually represent searches that return a specific type of event, or that return a useful variety of events.
Prerequisites
Review
- About event types for more information on event types.
- About event type priorities for information on event type priorities.
- Event type syntax for information on the syntax for event type configuration.
Steps
- Make changes to event types in
eventtypes.conf
in$SPLUNK_HOME/etc/system/local/
or your own custom app directory in$SPLUNK_HOME/etc/apps/
. Use$SPLUNK_HOME/etc/system/README/eventtypes.conf.example
as an example, or create your owneventtypes.conf
. - (Optional) Configure a search term for this event type.
- (Optional) Enter a human-readable description of the event type.
- (Optional) Give the event type a priority.
- (Optional) Give the event type a color.
Event type syntax
Use the following format when you define an event type in eventtypes.conf
.
[$EVENTTYPE] disabled = <1|0> search = <string> description = <string> priority = <integer> color = <string>
The $EVENTTYPE
is the header and the name of your event type. You can have any number of event types, each represented by a stanza and any number of the following attribute-value pairs.
Note: If the name of the event type includes field names surrounded by the percent character (for example, %$FIELD%
) then the value of $FIELD
is substituted at search time into the event type name for that event. For example, an event type with the header [cisco-%code%]
that has code=432
becomes labeled [cisco-432]
.
Attribute | Description |
---|---|
disabled
|
Toggle event type on or off. Set to 1 to disable the event type. |
search
|
Search terms for this event type. For example, error OR warn. |
description
|
Optional human-readable description of the event type. |
priority
|
Specifies the order in which matching event types are displayed for an event. 1 is the highest, and 10 is the lowest. |
color
|
Color for this event type. The supported colors are: none, et_blue, et_green, et_magenta, et_orange, et_purple, et_red, et_sky, et_teal, et_yellow. |
Note: You can tag eventtype
field values the same way you tag any other field-value combination. See the tags.conf
spec file for more information.
Example
Here are two event types; one is called web
, and the other is called fatal
.
[web] search = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi [fatal] search = FATAL
Disable event types
Disable an event type by adding disabled = 1
to the event type stanza eventtypes.conf
:
[$EVENTTYPE] disabled = 1
$EVENTTYPE
is the name of the event type you wish to disable.
So if you want to disable the web
event type, add the following entry to its stanza:
[web] disabled = 1
Automatically find and build event types | Configure event type templates |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!