Configure event type templates
Event type templates create event types at search time. If you have Splunk Enterprise, you define event type templates in eventtypes.conf. Edit eventtypes.conf
in $SPLUNK_HOME/etc/system/local/
, or your own custom app directory in $SPLUNK_HOME/etc/apps/
.
For more information on configuration files in general, see "About configuration files" in the Admin manual.
Event type template configuration
Event type templates use a field name surrounded by percent characters to create event types at search time where the %$FIELD%
value is substituted into the name of the event type.
[$NAME-%$FIELD%] $SEARCH_QUERY
So if the search query in the template returns an event where %$FIELD%=bar
, an event type titled $NAME-bar
is created for that event.
Example
[cisco-%code%] search = cisco
If a search on "cisco" returns an event that has code=432
, Splunk Enterprise creates an event type titled "cisco-432".
Configure event types in eventtypes.conf | About transactions |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!