Documentation:
3.1.3
This page last updated: 01/28/08 10:01am
Event types and punct::
What are event types?
Event types allow you to classify events that have common characteristics. All sshd logins can be an event type. All sendmail syslog messages can be another. Editing, tagging and renaming event types is a big way that a Splunk server gets smarter over time by incorporating the knowledge of its users.
What is punct::?Because the format of an event is often a powerful part of defining an event type, Splunk indexes the punctuation characters of events as an indexed field called "punct." This field, while it looks cryptic at first, is a powerful way of finding similar events quickly.
Find similar events with punct::Start by doing a search for all events in your sampledata index:
index::sampledata
Now, activate the punct:: field by checking it in the fields... menu and selecting Apply.
Filter on each of the first few most common "punct" values.
You'll notice that the events sharing a punct value are strongly similar. This is a fast way of inventorying all of the results of a search with thousands of matches.
Add a filter to your search for the most common punct:: value in your sample data, which should be ..._-_-_[//:::]_\"_//?=_/.\"__. Then find access_common events with URLs similar to "/trade/app?action=portfolio":
index::sampledata "punct::..._-_-_[//:::]_\"_//?=_/.\"__" sourcetype::access_common
You'll notice that the events you are looking at now are all clearly web requests to the same application but include a mix of different actions - portfolio, home, logout. (This data sample came from an online stock trading application.)
Add "logout" to your search to find just the logout events.
index::sampledata "punct::..._-_-_[//:::]_\"_//?=_/.\"__" logout
Now save your search, but this time, instead of choosing "Save search" from the menu, choose "Save as event type."
Call your event type "trade_app_logouts".
(Note: if your event type name contains spaces, upon saving the spaces will be replaced with underscores and the tags will not be saved. It is recommended that you do not include spaces in the eventtype names to avoid this behavior.)
Now add "event types" to your filters via the fields menu.
You'll see the event type name "trade_app_logouts" appear underneath each event. You can now click on it to search for "eventtype::trade_app_logouts." You can also click on the arrow to the left of the event type tag to look up the event on SplunkBase, search for related events or show the source of the event.
Splunk automatically discovers event types based on seeing a large number of events sharing common characteristics. You can edit, delete, rename and tag event types that Splunk discovers for you. You can also make your own event types by saving any search as an event type. Splunk allows you to change the settings that determine which keywords are considered in event type discovery in its eventdiscoverer.conf configuration file.
Tagging Event type taggingYou can tag event types that have very different search terms and punctuation patterns with common words, then find all events of types that have any tag. This is a great way to create higher level classifications like "logouts" that cross different logout event types from different applications.
Host taggingTagging hosts is useful for knowledge capture and sharing, and for crafting more precise searches. Hosts can be tagged with one or more words describing their function or type, enabling users to easily search for all activity on a group of similar servers. See the section in our Admin manual on Host tagging.
Comments
Looks like how to utilize event type tags to search should go here, or a pointer to how to do it.
Posted by deeann on Dec 06 2007, 4:02pm
Missing tagging hosts in the tutorial.
Posted by cfrln on Aug 10 2007, 4:39pm