Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Classify and group similar events

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6

Classify and group similar events

An event is not the same thing as an event type. An event is a single instance of data — a single log entry, for example. An event type is a classification used to label and group events. For example, if you create event types for all log entries that are SSH logins or all sendmail syslog messages, you can quickly search for just those events.

The names of the matching event types for an event are set on the event, in a multi-valued field called eventtype. You can search for these groups of events (for example, SSH logins) the same way you search for any field value.

This topic discusses how to save event types and use them in searches. For more information about events, how Splunk recognizes them, and what it does when it processes them for indexing, see the "About Events" topic in the Knowledge Manager manual.

Important: You cannot save a search pipeline as an event type; that is, when saving a search as an event type, it cannot include a search command.

Save a search as a new event type

When you search your event data, you're essentially weeding out all unwanted events. Therefore, the results of your search are events that share common characteristics, and you can give them a collective name.

Save any search as an event type by selecting the "Save as event type..." option from the search Actions dropdown menu. The Save Event Type window appears.

In the Save Event Type window, give your search a name in the "Event type name" text area. Modify the search string if necessary. You can also define tags for the event type; this is discussed in more detail later. Click "Save" to save your event type name.

Now, you can quickly search for all the events that match this eventtype. For example, if you save a search for all SSH login events as an event type named sshlogin. A search for all SSH logins on a particular machine that has the hostname alpha might be:

host=alpha eventtype=sshloginSearch

You can also choose to make your searches more explicit and save each variation as an eventtype. For example, if you often search for SSH logins on specific machines, include the hostname in your search string and save event types for each particular hostname. So, if you wanted to see only SSH logins on alpha, your eventtype search might be:

eventtype=alpha_sshloginSearch

For more information about searching for fields, see the "Start searching" topic in the Search and Investigate chapter of this manual.

Identify similar events with punct

Because the punctuation of an event is often unique to a specific type of event, Splunk indexes the punctuation characters of event in the punct field. The values of this field may look cryptic, but they can be an effective way of characterizing similar events.

To apply the punct field to your search results, use the Fields popup discussed in the "Search interactively with Splunk Web" topic in the Search and Investigate chapter of this manual. Select the punct value for an SSH login event. This updates your search to include this punct combination in the search bar. You may want to consider wildcarding the punctuation to match insignificant variations (for example, "punct=::[]*/*").

Use typelearner to discover new event types

Pass any of your searches into the typelearner command to see Splunk's suggestions for event types. By default, typelearner compares the punctuation of the events resulting from the search, grouping those that have the similar punctuation and terms together.

You can specify a different field for Splunk to group the events; typelearner works the same way with any field. The result is a set of events (from your search results) that have this field and phrases in common.

For more information and examples, see "typelearner" in the search command reference.

Use tags to group and find similar events

Event types can have one or more tags associated with them. You can add these tags while you save a search as an event type and from the event type manager, located in Manager > Event types. From the list of event types in this window, select the one you want to edit.

After you add tags to your event types, you can search for them in the same way you search for any tag. Let's say you saved a search for firewall events as the event type firewall_allowed, and then saved a search for login events as the event type login_successful. If you tagged both of these event types with allow, all events of either of those event types can be retrieved by using the search:

tag::eventtype="allow"Search

For more information about using tags, see the "Tag and alias field values" topic in this chapter.

Retrieved from "http://www.splunk.com/base/Documentation/4.0.6/User/ClassifyAndGroupSimilarEvents"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.