This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
You can add new event types and update existing event types by configuring eventtypes.conf. There are a few default event types defined in $SPLUNK_HOME/etc/system/default/eventtypes.conf. Any event types you create through Splunk Web are automatically added to $SPLUNK_HOME/etc/system/local/eventtypes.conf.
Make changes to event types in eventtypes.conf. Use $SPLUNK_HOME/etc/system/README/eventtypes.conf.example as an example, or create your own eventtypes.conf.
Edit eventtypes.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in the Admin manual.
[$EVENTTYPE]
$EVENTTYPE is the name of your event type.
%$FIELD%) then the value of $FIELD is substituted at search time into the event type name for that event. For example, an event type with the header [cisco-%code%] that has code=432 becomes labeled </code>[cisco-432]</code>.
search = <string>
isglobal = <1 or 0>
disabled = <1 or 0>
Here are two event types; one is called web, and the other is called fatal.
[web] search = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi [fatal] search = FATAL
Disable an event type by adding disabled = 1 to the event type stanza eventtypes.conf:
[$EVENTTYPE] disabled = 1
$EVENTTYPE is the name of the event type you wish to disable.
So if you want to disable the web event type, add the following entry to its stanza:
[web] disabled = 1