• About Splunk
  • About Splunk
• Tutorial
  • Introduction to Splunk
    • Requirements
    • Log in
    • Index data
    • Simple searches
    • Click on results
    • Scroll through results
    • Narrow results
    • Follow a relationship
    • Chang the time range
    • Boolean searches
    • Save a search
  • Navigating search results
    • Filter on host, source, and sourcetype (search fields)
    • Showing more fields
    • Filter on extracted fields
    • Related events searching
    • Taking snapshots
    • SplunkWeb (interface) customization
  • Event types and punct::
    • What are event types?
    • What is punct::?
    • Find similar events with punct::
    • Saving event types
    • View and search for event types
    • Automated event type discovery
    • Tagging
  • Alerting
    • Save a search
    • Schedule it
    • Set alerting conditions
    • Set the alerting method
    • Permalink your saved search
    • Manage your saved searches and alerts
  • Reporting
    • Report on a field
    • Build a new report
    • Pick a different chart
    • Add it to your dashboard
  • Using search commands
    • timechart
    • stats
    • top
    • rare
    • where
    • fields
    • sort
    • Subsearches
    • diff
    • set
    • regex
  • Command line interface (CLI)
    • Examples
    • Built-in help
    • Basic commands
  • Sharing
    • Creating, tagging, and sharing eventtypes
    • Saved searches
    • SplunkBase
• Reference
  • Search syntax overview
    • Syntax definition
    • Syntax for subsearches
    • Tuning search performance
  • Search
    • Keywords
    • Wildcards *
    • Searching for "*"
    • "Quotation marks"
    • Punctuation marks
    • Booleans
    • Fields
    • Modifiers
    • Subsearches
  • Search modifiers
    • Conventions used in this reference
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hosttag
    • hoursago
    • index
    • maxresults
    • minutesago
    • monthsago
    • readlevel
    • readlimit
    • related
    • savedsearch
    • searchtimespanminutes
    • searchtimespanhours
    • searchtimespandays
    • searchtimespanmonths
    • startminutesago
    • starthoursago
    • startdaysago
    • startmonthsago
    • timeformat
  • Core search fields
    • host
    • source
    • sourcetype
  • Search fields
    • _raw
    • _serial
    • _time
    • date_hour
    • date_minute
    • date_month
    • date_mday
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • eventtypetag
    • endtime
    • endtimeu
    • linecount
    • punct
    • starttime
    • starttimeu
    • timestamp::none
    • user
  • Search commands
    • Conventions used in the search reference
    • The run command
    • The admin command

Sharing

Splunk provides useful ways to share knowledge and information. You can create new eventtypes, save them, and put them into Splunk bundles. You can create saved searches and schedule alerts. And you can tap into SpunkBase and search for help, share your experiences, or share your bundles with the Splunk community.

Creating, tagging, and sharing eventtypes

Creating an eventtype

1. In the SplunkWeb user interface: create a search to save for the event type that you want to make.
2. Click the down arrow next to the search bar.
3. From the drop-down menu, choose "Save As Event Type".
4. In the name text box, enter a descriptive name for the event type.
5. Apply a tag to your eventtype (see below).
6. Click Save.

To use your saved eventtype, start a search with:

eventtype::

Tagging an eventtype

Tagging is useful when sharing an eventtype. You can assign tags to the new eventtype in the Tags text box before you save your created eventtype.

(You can make changes to the search at any time. Just make sure to run your changes through the search and re-save each time.)

Sharing an eventtype

To share saved eventtypes, you'll have to make a bundle. The Admin Manual will have a more advanced explanation of bundles, and how to make bundles. For now we'll go through a simple explanation on how to create a bundle.

Saved searches

You can save searches like you save eventtypes. Saved searches allow you to create alerts for certain events, or amounts of a certain event based on a threshold value. Alerts tied to to saved searches allow you to trigger events such as a scripts, sending an email, or even trigger an RSS feed.

SplunkBase

Full information on SplunkBase can be found in the Admin Manual. For our purposes as users, the SplunkBase is a helpful community to obtain answers from Splunk professionals, or other Splunk users. SplunkBase is also where you can share your bundles, or obtain useful bundles from other members of the community. Any content available in SplunkBase is findable through searches, as well as through the site's menus.

Looking up events

You can look up any event on SplunkBase. This is a helpful tool for gaining more insight into various events you might not be so familiar with.

From within the Splunk interface, click on the drop-down arrow underneath the timestamp:

You will see an option to Search SplunkBase:

Click this link and you will be redirected to the SplunkBase page associated with that event.

Getting Q & A

A large part of SplunkBase is devoted to Questions & Answers. You can focus the Q&A around your needs by using the Categories list on the left to narrow down to the technology you're interested in. Then, click a Question to see the list of Answers associated with it.

Using the How-to guides

Another large section of SplunkBase is devoted to HOWTOs. HOWTOs are documents that explain how to understand or accomplish something. Just as with Q&As, you can focus onto the technology you're looking for by using the Categories links on the side. Click through a HOWTO's name to see its contents.

Add-ons in SplunkBase

SplunkBase is teeming with bundles you can add to your Splunk installation. From the Add-ons page, you can narrow down the listing either through Categories, or through Types (the types of content within the add-on). Click through a bundle's name to read more about it, see ratings and comments, rate it yourself, view what's inside it by clicking View Contents, or download it by clicking the Download button. Once you have a bundle downloaded, to add it to your Splunk instance, place it into your Splunk server's $SPLUNKHOME/etc/bundles directory and extract the tarball or zip file.