Splunk User Manual (Splunk v2.0)

Tutorial

Event Types

Event types make it easy to sift through a centralized log index. Splunk automatically assigns an event type value to each event it indexes. This lets you search and sort all events of the same type without needing to pattern-match them all manually.

Event types come in two forms:

• Local event types have a numeric value preceeded by ? to make it clear they have not been looked up at Splunk Base, the global repository of event types created by Splunk users.



---



• Global event types have an alphanumeric value like SP-CAAAE8K that shows they've been looked up and matched at Splunk Base. Every Splunk user around the world who encounters an event of this type will be able to refer to it by this label unambiguously when discussing it or sharing data samples with other Splunkers.



---

Example

SP-CAAADUP is a typical Splunk global event type. It happens to be an Apache error message.

A Splunk administrator who loads Apache error events might see them in Splunk results containing local event types—?12,?13,?14—until he looked each event up at Splunk Base. He could then download global assignments from Splunk Base. That would change local event types like ?14 to global event type names like SP-CAAAD7Y that match for all Splunk users everywhere.

Splunk Professional Users

Splunk Professional users without Power User or Admin status can view and search event types and look them up at Splunk Base. They can't download global event types to update the local Splunk index, though.

Description:

Copyright © 2005-2008 Splunk Inc. All rights reserved.