This is not current Splunk documentation.
Splunk 3.4.2 is the latest version. Only use this page with older Splunk 2.0.x.
« Previous  |   Table of Contents   |   Next »

Splunk User Manual (Splunk v2.0)

Event Types and Tags

Event Types Explained

Splunk's automatic event typing lets you perform searches that would be impossible with grep, SQL, or shell scripts. By categorizing every event on your network Splunk lets you find or exclude the same type of results from hundreds of servers with one click.

An event type is a unique pattern seen in punctuation, alphanumeric patters, and certain keywords that make up an event. For example, Splunk would assign these events the same event type.

Apr 5 17:59:27 login user=joe
Apr 5 17:58:33 login user=sue

Whereas Splunk would assign these three events three different event types.

Apr 5 17:59:27 login user=joe
Apr 5 18:08:45 logout user=joe
17:59:27 05 Apr 2007 login user=joe

In short, Splunk attempts to replicate the mental categorization of events most administrators already perform in their heads.

Splunk doesn't try to assign meaningful event type values such as "imapd_login" because event patterns vary from one customer to another and change from day to day. Instead, it lets users look up event types in Splunk Base and sync tag assignments they deem correct.

« Previous  |   Table of Contents   |   Next »

Comments

No comments have been submitted.

close

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink: