Topics

| pdf version

How Splunk Works

Getting Started

Configuring a Splunk Deployment

Data Inputs

Hosts

Source Types

Timestamp Recognition

Events

Event Types

Meta Events

Fields

Segmentation

Saved Searches and Alerts

Authentication

Data Distribution

Granular Access Control

Distributed Search

Deployment Server

Index Management

Bundles

SplunkBase

Performance Tuning

Routine Maintenance

How-To

Troubleshooting

Reference


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Configure eventtypes.conf

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4

Configure eventtypes.conf

You can add your own event types to eventtypes.conf. There are a few default event types defined in $SPLUNK_HOME/etc/bundles/default/eventtypes.conf. Any event types you create through SplunkWeb will automatically be added to $SPLUNK_HOME/etc/bundles/local/eventtypes.conf.


As a best practice to maintain the efficacy of event typing, it is best to avoid using hosts, sources, or source types when creating new event types.


Please note: you can also download or upload event types as add-ons from SplunkBase.


Configuration

Edit $SPLUNK_HOME/etc/bundles/local/eventtypes.conf. 


[<eventtype name>]
query = <search string>
attribute1 = val1
attribute2 = val2
...
  • [<eventtype name>] is the name of the event type.
  • You must at least add a query =
    </code> for your event type.
    • For example <code>query = html OR http</code>
  • <code>isglobal = <integer></code>
    • If <code>isglobal</code> is set to 1, everyone can see/use this search
    • Possible values: 1 or 0

== Example ==

<pre> [web] query = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi [fatal] query = FATAL </pre>

== Disable event types ==

You can disable specific event types by deleting their entry in <code>$SPLUNK_HOME/etc/bundles/default/eventtypes.conf</code>. To avoid making changes to the default bundle that may get blown away in an upgrade, you can add the following key/value pair to the event type's entry in <code>$SPLUNK_HOME/etc/bundles/local/eventtypes.conf</code>:


<code>priority = <integer></code>

  • add the tag <code>priority = 0</code> to any event type entry to disable
    • you can set <code>priority = 0</code> in <code>$SPLUNK_HOME/etc/bundles/local/eventtypes.conf</code> for any entry in <code>../default/eventtypes.conf</code> to override the default entry.

So if you want to disable the <code>[web]</code> event type, add the following entry to <code>../local/eventtypes.conf</code>:


<pre> [web] priority = 0 </pre>

[[Category:v:3.0]][[Category:v:3.0.1]][[Category:v:3.0.2]][[Category:v:3.1]][[Category:v:3.1.1]][[Category:v:3.1.2]][[Category:v:3.1.3]][[Category:v:3.1.4]][[Category:v:3.1.5]][[Category:v:3.1.6]]

Search
Retrieved from "http://www.splunk.com/base/Documentation/3.0/Admin/ConfigureEventtypesconf"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.