Topics

| pdf version

About the Splunk Admin Manual

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Transaction Types

Search

Distributed Search

Alerts

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Event type templates

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

Event type templates

Create an event type based on a field via eventtypes.conf. Edit eventtypes.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

For example: 

[$NAME %$FIELD%]
$SEARCH_QUERY

Event type templates works a lot like macro searches: %$FIELD% gets filled in at search time with field=foo or field=bar, etc -- whatever the search query yields for that event type's field.


Configuration

When setting the name in eventtypes.conf, follow these specifications:

[$EVENTTYPE]

  • Header for the event type
  • $EVENTTYPE is the name of your event type.
  • You can have any number of event types, each represented by a stanza and any number of the following attribute/value pairs.
    • NOTE: If the name of the event type includes field names surrounded by the percent character (e.g. "%$FIELD%") then the value of $FIELD is substituted into the event type name for that event.


Example 

[cisco-%code%]
cisco

If "code=432", this event type becomes "cisco-432".

Retrieved from "http://www.splunk.com/base/Documentation/3.4.11/Admin/EventTypeTemplates"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.