This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Event types allow you to classify events that have common characteristics. All sshd logins can be an event type. All sendmail syslog messages can be another. Editing, tagging and renaming event types is a big way that a Splunk server gets smarter over time by incorporating the knowledge of its users.
Because the format of an event is often a powerful part of defining an event type, Splunk indexes the punctuation characters of events as an indexed field called "punct." This field, while it looks cryptic at first, is a powerful way of finding similar events quickly.
Start by doing a search for all events in your sampledata index:
index::sampledata
Now, activate the punct:: field by checking it in the fields... menu and selecting Apply.
Image:Event types and punct-Picture 1.png
Filter on each of the first few most common "punct" values.
Image:Event types and punct-Picture 2.png
You'll notice that the events sharing a punct value are strongly similar. This is a fast way of inventorying all of the results of a search with thousands of matches.
Add a filter to your search for the most common punct:: value in your sample data, which should be ``..._-_-_[:::]_\"_?=_/.\"__``. Then find access_common events with URLs similar to "/trade/app?action=portfolio":
index::sampledata "punct::..._-_-_[//:::]_\"_//?=_/.\"__" sourcetype::access_common
You'll notice that the events you are looking at now are all clearly web requests to the same application but include a mix of different actions - portfolio, home, logout. (This data sample came from an online stock trading application.)
Add "logout" to your search to find just the logout events.
index::sampledata "punct::..._-_-_[//:::]_\"_//?=_/.\"__" logout
Now save your search, but this time, instead of choosing "Save search" from the menu, choose "Save as event type."
Image:Event types and punct-Picture 3.png
Call your event type "trade_app_logouts".
(Note: if your event type name contains spaces, upon saving the spaces will be replaced with underscores and the tags will not be saved. It is recommended that you do not include spaces in the eventtype names to avoid this behavior.)
Image:Event types and punct-Picture 4.png
Now add "event types" to your filters via the fields menu.
Image:Event types and punct-Picture 5.png
Image:Event types and punct-Picture 6.png
You'll see the event type name "trade_app_logouts" appear underneath each event. You can now click on it to search for "eventtype::trade_app_logouts." You can also click on the arrow to the left of the event type tag to look up the event on SplunkBase, search for related events or show the source of the event.
Image:Event types and punct-Picture 7.png
Splunk automatically discovers event types based on seeing a large number of events sharing common characteristics. You can edit, delete, rename and tag event types that Splunk discovers for you. You can also make your own event types by saving any search as an event type. Splunk allows you to change the settings that determine which keywords are considered in event type discovery in its eventdiscoverer.conf configuration file.
You can tag event types that have very different search terms and punctuation patterns with common words, then find all events of types that have any tag. This is a great way to create higher level classifications like "logouts" that cross different logout event types from different applications.
Tagging hosts is useful for knowledge capture and sharing, and for crafting more precise searches. Hosts can be tagged with one or more words describing their function or type, enabling users to easily search for all activity on a group of similar servers. See the section in our Admin manual on Host tagging.
