Splunk.com | SplunkBase | Support

Documentation: 3.2

| Print Version Contents

How Splunk Works
- Overview of Splunk
Getting Started
- About the getting started section
- Start Splunk
- Administration basics
- Change defaults
- Find and index data
- Add more users
  - Splunk local users
- Start searching
Data Inputs
- How input configuration works
- Configure inputs via Splunk Web
  - Configuration
- Configure inputs via the CLI
  - Data input commands
  - Data input types
- Configure inputs via inputs.conf
- Configure inputs for Windows
- Scripted inputs
  - Configuration
  - Example
- Configure whitelist and blacklist rules
- Log file rotation
  - How log rotation works
- Strip syslog headers before processing
  - Configuration
  - Example
- Determine what files Splunk is tailing
  - Run listtails
- Index SNMP events with Splunk
- log4j
Data Distribution
- How data distribution works
- Enable forwarding and receiving
- Configure outputs.conf
  - Configuration
  - Example
- Set up routing
  - Configuration
  - Examples
- Filtering and routing
  - Configuration
  - Example
- Route specific events to an alternate index
  - Configuration
  - Example
- Set up SSL
  - Forwarder
  - Receiver
- Enable cloning
- Set up data balancing
  - Configuration
  - Example
- Route data to third-party systems
  - Configuration
  - Example
Indexing
- How indexing works
  - How events work
  - How segmentation works
- Configure event boundaries
  - Configuration
  - Examples
- Configure segmentation
- Enable custom segmentation
  - Configuration
  - Example
- Mask sensitive data in an event
  - Configuration
- Character set
  - Character set specification
- Dynamic metadata assignment
  - Configuration
  - Set values with a script
Timestamps
- How timestamp extraction works
  - Precedence rules for timestamp assignment
  - Configure timestamps
- Configure timestamp extraction in props.conf
- How to configure timezone offsets
- Tune Timestamping
  - Turn off timestamp lookahead
- Train Splunk to recognize timestamps
  - About training
  - via the CLI
Fields
- How fields work
- Create indexed fields via configuration files
  - Configuration
  - Example
- Create extracted fields via configuration files
- Create extracted fields via Splunk Web
  - Configuration
- Field actions
  - Configuration
- Configure fields.conf
  - Configuration
- Configure multi-value fields
  - Configure multi-value fields in fields.conf
  - Example
Hosts
- How host works
- Set default host for a Splunk server
  - via Splunk Web
  - via configuration files
- Define host assignment for an input
  - Statically
  - Dynamically
- Tag hosts
  - via Splunk Web
  - Host tags vs host names
- Extract host per event
  - Configuration
  - Example
Source Types
- How source types work
- Set source type for an input
- Set source type for a source
  - via configuration files
- Train Splunk on a source type
  - via the CLI
- Create an alias for a source type
  - via Splunk Web
- Rule-based association of sourcetypes
  - Configuration
  - Examples
- Source type settings in props.conf
Event Types
- How event types work
- Save event types via Splunk Web
  - Configuration
- Configure eventtypes.conf
- Tag event types
  - Configuration
- Event type discovery
  - Configure event types
- Event type templates
  - Configuration
  - Example
- Dynamic event rendering
Search
- How search works
- Set up saved searches
  - via Splunk Web
- Set up saved searches via savedsearches.conf
  - Configuration
  - Example
- Set up alerts via Splunk Web
  - Set up an alert
  - Specify which fields to show
- Set up alerts via savedsearches.conf
- Customize alert options
  - Email options
  - Additional alert customizations
- Form searches
- Macro searches
  - Configure a macro search
- Transaction search
  - Transactions and macro search
- Live Tail
- Send syslog events
  - Configuration
  - Example
- Send SNMP traps
  - Configuration
Distributed Search
- How distributed search works
  - Known issues with distributed search
- Enable distributed search via Splunk Web
- Enable distributed search via the CLI
  - Configuration
- Users in a distributed search setup
- Exclude specific Splunk servers from distributed searches
Security
- Security options
  - Authentication
  - Audit
- Enable HTTPS
  - Configuration
  - Certs
- SSL
  - Configuration
- Configure roles
  - Configuration
  - Example
- Set up LDAP
- Scripted authentication
  - Commands
  - Example
- File system change monitor
  - How the file system change monitor works
  - Configure the file system change monitor
- Audit events
- Audit event signing
  - How audit event signing works
  - Configure audit event signing
- Event hashing
- IT data signing
- Archive signing
Data Management
- How index management works
  - Data management
  - Configuration files for index management
- Add or remove an index
  - Create an index
  - Delete an index
- Remove (delete) data
- Move an index
  - Configuration
- Set retirement policy
  - Remove files beyond a certain size
  - Remove files beyond a certain age
- Automate archiving
  - Use Splunk's index aging policy to archive
- Restore archived data
  - Restore with resurrect
  - Restore a copied index archive
- Export event data
  - via the CLI
  - via Splunk Web
- Disk usage
  - Set minimum free disk space
  - Set database size
- Use separate partitions for Splunk's datastore
  - Set up separate partitions
- Use WORM (Write Once Read Many) volumes for Splunk's datastore
  - Set up a WORM datastore
Deployment Server
- How the deployment server works
  - Communication between deployment server and client
  - Configuration files for deployment server
- Configure a Splunk Deployment Server
  - Configuration
  - Example
- Configure server classes
  - Configuration
  - Example
- Configure deployment clients
- Sync the server and client
  - Configuration changes
Performance Tuning
- Performance tuning Splunk
- Indexing performance
- Search performance
- Cache report results
- Storage efficiency
- CPU and memory footprint
  - Improve CPU usage
  - Improve memory usage
- Multi-CPU servers
  - indexes.conf
- 64-bit operating systems
  - indexes.conf
- Splunk backup options
  - Back up configurations
  - Back up your entire installation
Configuration Files
- How do configuration files work?
  - Configuration file directory structure
  - Configuration file precedence
- Configure bundle directories
  - Make a bundle directory
  - Bundle best practice
- Configuration file list
Applications
- How applications work
- Install Splunk applications
Reference
- Splunk Command Line Interface (CLI)
  - CLI commands
  - auth and uri parameters
  - Note for Mac users
- Splunk logfiles
  - Internal logs
  - debug
  - log.cfg
- Pre-trained source types
  - Automatically recognized source types
  - Pre-trained source types
- alert_actions.conf
  - alert_actions.conf.spec
  - alert_actions.conf.example
- audit.conf
  - audit.conf.spec
  - audit.conf.example
- authentication.conf
  - authentication.conf.spec
  - authentication.conf.example
- authorize.conf
  - authorize.conf.spec
  - authorize.conf.example
- decorations.conf
  - decorations.conf.spec
  - decorations.conf.example
- deployment.conf
  - deployment.conf.spec
  - deployment.conf.example
- distsearch.conf
  - distsearch.conf.spec
  - distsearch.conf.example
- eventdiscoverer.conf
  - eventdiscoverer.conf.spec
  - eventdiscoverer.conf.example
- eventtypes.conf
  - eventtypes.conf.spec
  - eventtypes.conf.example
- fields.conf
  - fields.conf.spec
  - fields.conf.example
- field_actions.conf
  - field_actions.conf.spec
  - field_actions.conf.example
- indexes.conf
  - indexes.conf.spec
  - indexes.conf.example
- inputs.conf
  - inputs.conf.spec
  - inputs.conf.example
- literals.conf
  - literals.conf.spec
  - literals.conf.spec
- multikv.conf
  - multikv.conf.spec
  - Example
- outputs.conf
  - outputs.conf.spec
  - outputs.conf.example
- prefs.conf
  - prefs.conf.spec
  - prefs.conf.example
  - prefs.conf.example
- props.conf
  - props.conf.spec
- props.conf (cont)
  - props.conf.spec, continued
  - props.conf.example
- restmap.conf
  - restmap.conf.spec
  - restmap.conf.spec
- savedsearches.conf
  - savedsearches.conf.spec
  - savedsearches.conf.example
- segmenters.conf
  - segmenters.conf.spec
  - segmenters.conf.example
- server.conf
  - server.conf.spec
  - server.conf.example
- source-classifier.conf
  - Configuration
  - Example
- sourcetypes.conf
  - Configuration
  - Example
- streams.conf
  - streams.conf.example
- transactiontypes.conf
  - transactiontypes.conf.spec
  - transactiontypes.conf.example
- transforms.conf
  - transforms.conf.spec
  - transforms.conf.example
- user-seed.conf
  - user-seed.conf.spec
  - user-seed.conf.example
- web.conf
  - web.conf.spec
  - web.conf.example
Troubleshooting
- Contact Support
- Splunkd is down
  - Splunkd may need a few more seconds to come up
  - Your license file contains line-breaks or other hidden characters
- License issues
- Anonymize data samples
  - Simple method
  - Advanced method
- Unable to get a properly formatted response from the server
- Command line tools
  - btool
  - classify
  - exporttool
  - gzdumper
  - listtails
  - locktest
  - locktool
  - parsetest
  - pcregextest
  - regextest
  - searchtest
  - signtool
  - tsidxprobe

This page last updated: 05/20/08 11:05am

Configure eventtypes.conf

Add your own event types by configuring eventtypes.conf. There are a few default event types defined in $SPLUNK_HOME/etc/bundles/default/eventtypes.conf. Any event types you create through Splunk Web will automatically be added to $SPLUNK_HOME/etc/bundles/local/eventtypes.conf.

Configuration

Make changes to event types in eventtypes.conf. Use $SPLUNK_HOME/etc/bundles/README/eventtypes.conf.example as an example, or create your own eventtypes.conf. Make any configuration changes to a copy of eventtypes.conf in $SPLUNK_HOME/etc/bundles/local/, or your own custom bundle directory. For more information on configuration files in general, see how configuration files work.

[$EVENTTYPE]

Header for the event type
$EVENTTYPE is the name of your event type.
- You can have any number of event types, each represented by a stanza and any number of the following attribute/value pairs.
Note: If the name of the event type includes field names surrounded by the percent character (e.g. "%$FIELD%") then the value of $FIELD is substituted into the event type name for that event. For example, an event type with the header [cisco-%code%] that has "code=432" becomes labeled "cisco-432".

disabled = <1 or 0>

Toggle event type on or off.
Set to 1 to disable.

name = <string>

Actual displayed name of the event type.

query = <string>

Search query terms for this event type.
For example: error OR warn.

tags = <string>

Space separated words that are used to tag an event type.

isglobal = <1 or 0>

Toggle whether event type is shared.
If isglobal is set to 1, everyone can see/use this event type.
Defaults to 1.

Example

[web]
query = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi

[fatal]
query = FATAL

Disable event types

Disable specific event types by adding the following tag to $SPLUNK_HOME/etc/bundles/local/eventtypes.conf:

[$EVENTTYPE]
disabled = 1

$EVENTTYPE is the name of the event type you wish to disable.

So if you want to disable the [web] event type, add the following entry to ../local/eventtypes.conf:

[web]
disabled = 1

Previous: Save event types via Splunk Web | Next: Tag event types

Comments

No comments have been submitted.

Log in to comment.