Topics

| pdf version

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Search

Distributed Search

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Configure eventtypes.conf

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6

Configure eventtypes.conf

Add your own event types by configuring eventtypes.conf. There are a few default event types defined in $SPLUNK_HOME/etc/bundles/default/eventtypes.conf. Any event types you create through Splunk Web will automatically be added to $SPLUNK_HOME/etc/bundles/local/eventtypes.conf.


Configuration

Make changes to event types in eventtypes.conf. Use $SPLUNK_HOME/etc/bundles/README/eventtypes.conf.example as an example, or create your own eventtypes.conf. Make any configuration changes to a copy of eventtypes.conf in $SPLUNK_HOME/etc/bundles/local/, or your own custom bundle directory. For more information on configuration files in general, see how configuration files work.


[$EVENTTYPE]

  • Header for the event type
  • $EVENTTYPE is the name of your event type.
    • You can have any number of event types, each represented by a stanza and any number of the following attribute/value pairs.
  • Note: If the name of the event type includes field names surrounded by the percent character (e.g. "%$FIELD%") then the value of $FIELD is substituted into the event type name for that event. For example, an event type with the header [cisco-%code%] that has "code=432" becomes labeled "cisco-432".

disabled = <1 or 0>

  • Toggle event type on or off.
  • Set to 1 to disable.

name = <string>

  • Actual displayed name of the event type.


query = <string>

  • Search query terms for this event type.
  • For example: error OR warn.

tags = <string>

  • Space separated words that are used to tag an event type.

isglobal = <1 or 0>

  • Toggle whether event type is shared.
  • If isglobal is set to 1, everyone can see/use this event type.
  • Defaults to 1.

Example 

[web]
query = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi
[fatal]
query = FATAL

Disable event types

Disable specific event types by adding the following tag to $SPLUNK_HOME/etc/bundles/local/eventtypes.conf: 


[$EVENTTYPE]
disabled = 1

$EVENTTYPE is the name of the event type you wish to disable.

So if you want to disable the [web] event type, add the following entry to ../local/eventtypes.conf: 


[web]
disabled = 1
Retrieved from "http://www.splunk.com/base/Documentation/3.2/Admin/ConfigureEventtypesconf"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.