This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Event types are a categorization system to help you make sense of your data. They are one of the most powerful ways in which Splunk creates order out of IT chaos. Event types let you sift through huge amounts of data, find similar patterns, and create alerts and reports. Event types are a default search field that is indexed with events. You can also tag and save event types after indexing.
Events are a single record of activity within a log file. An event typically includes a timestamp and provides information about what occurred on the system being monitored or logged.
Event types are a user-defined search field that categorizes events to simplify searching. Event types classify events that have common characteristics. You can be tag or save event types after indexing your data.
By default, Splunk auto-discovers event types in your data. There are several ways to create additional event types. You can define event types or increase the level of auto-discovery through configuration files, or you can save any search as an event type. When saving a search as an event type, you may want to use the punct field to craft your searches. The punct field helps you narrow down searches based on the structure of the event.
Because the format of an event is often a powerful part of defining an event type, Splunk indexes the punctuation characters of events as ansearch field called punct. This field may seem cryptic at first. However, it is a powerful way of finding similar events quickly.
When Splunk classifies an event, it looks at the first 30 punctuation characters in the first line of the event. Event punctuation is stored in the punct field and is used for event type discovery.
When you use the punct field, keep in mind:
Also see the Splunk Tutorial section about punct for a quick introduction.
This event:
####<Jun 3, 2005 5:38:22 PM MDT> <Notice> <WebLogicServer> <bea03> <asiAdminServer> <WrapperStartStopAppMain> <>WLS Kernel<> <> <BEA-000360> <Server started in RUNNING mode>
Produces this punctuation:
####<_,__::__>_<>_<>_<>_<>_<>_
This event:
172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953
Produces this punctuation:
..._-_-_[:::_-]_\"_?=_/.\"__
Splunk automatically finds and labels event types as data enters the index. Events are classified into event types based on data patterns such as punctuation and key/value pairs. By default, event type auto-discovery is tuned low. You can turn up discovery by configuring eventdiscoverer.conf.
Learn more about configuring auto-discovery.
The simplest way to create a new event type is through SplunkWeb. You can save an event type much in the same way you save a search.
Learn more about saving event types.
You can also create a new event type by modifying eventtypes.conf. Learn more about creating new event types.
You can also tag events types to allow you to organize your data into categories. There can be multiple tags per event.
Learn more about tagging event types
Event types are stored in eventtypes.conf.
Event type discovery is controlled by eventdiscoverer.conf.