Splunk手册学习之Knowledge Manager Manual-3

2.9.Event types

About event types
Event types let you sift through huge amounts of data, find similar patterns, and create alerts and reports
How event types work
A single event can match multiple event types. When an event matches two or more event types, eventtype acts as a multi-value field

sourcetype=access_combined status=200 action=purchase

If you save that search as an event type named successful_purchase, any event that can be returned by that search gets eventtype=successful_purchase added to it at search time

Important event type definition restrictions
You cannot base an event type on a search that:

  • Includes a pipe operator after a simple search.
  • Includes a subsearch.
  • Is defined by a simple search that uses the savedsearch command to reference a report name

TIp:You want to avoid situations where the search string underneath failed_login_search is modified by another user at a future date, possibly in a way that breaks the event type
If you want to use event types as a way to short cut your search, use a search macro

Creating event types
The simplest way to create a new event type is through Splunk Web
After you run a search that would make a good event type, click Save As and select Event Type. This opens the Save as Event Type dialog
where you can provide the event type name and optionally apply tags to it
You can also create new event types by modifying eventtypes.conf

Event type tags
Event types can have one or more tags associated with them
Tag event types to organize your data into categories. There can be multiple tags per event. You can tag an event type in Splunk Web or configure it in tags.conf

tag::eventtype=HTTP client error

Event type tags are commonly used in the Common Information Model (CIM) add-on for the Splunk platform in order to normalize newly indexed data from an unfamiliar source type

Define event types in Splunk Web
A single event can match multiple event types. When an event matches two or more event types, eventtype acts as a multivalue field.
Save a search you ran as an event type
Event types usually represent searches that return a specific type of event, or that return a useful variety of events
When you create an event type, the event type definition is added to eventtypes.conf in $SPLUNK_HOME/etc/users/<your-username>/<app>/local/, where <app> is your current app context. If you change the permissions on the event type to make it available to all users (either in the app, or globally to all apps), the Splunk platform moves the event type to $SPLUNK_HOME/etc/apps/<App>/local/.
Priority affects the display of events that match two or more event types. 1 is the best Priority and 10 is the worst

Event Types page in Settings

About event type priorities
n this example, the critical_disk_error event type has a priority of 3 while the all_system_errors event type has a priority of 7. 3 is a better priority value than 7, so critical_disk_error appears first in the list order

Priority determines which event type color displays for an event
Only one event type color can be displayed for each event.
for event types grouped with the transaction command, no color is displayed

Automatically find and build event types
Use the findtypes command to find event types in your search data

...| findtypes

by default, findtypes returns the top 10 potential event types found in the sample
findtypes max=30 returns the top 30 potential event types in an event sample

...| findtypes max=30  

To return these results, the findtypes command analyzes up to 5000 events

Use the Build Event Type utility to create event types

Configure event types in eventtypes.conf
Any event types you create through Splunk Web are automatically added to $SPLUNK_HOME/etc/system/local/eventtypes.conf
Important event type definition restrictions
Configure event types
Event type syntax

disabled = <1|0>
search = <string>
description = <string>
priority = <integer>
color = <string>

f the name of the event type includes field names surrounded by the percent character
for example,n event type with the header [cisco-%code%] that has code=432 becomes labeled [cisco-432]


search = html OR http OR https OR css OR htm OR html OR shtml OR xls OR cgi

search = FATAL
disabled = 1

you want to disable the web event type

disabled = 1

Configure event type templates
Create field aliases in Splunk Web
A field can have multiple aliases, but a single alias can only apply to one field
An alias does not replace or remove the original field name
Preserve existing field values
Overwrite field values is not selected by default.

Where field aliases fit in the search-time sequence of operations
When you run a search, Splunk software runs several operations to derive various knowledge objects and apply them to the events returned by the search

This means that you can create aliases for fields that are extracted at index time or search time, but you cannot create aliases for calculated fields, event types, tags, or fields that are added to your events by a lookup

Create a field alias with Splunk Web

  • Select an app to use the alias
  • Enter a name for the alias. Currently supported characters for alias names are a-z, A-Z, 0-9, or _
  • Select the host, source, or sourcetype to apply to a default field.
  • Enter the name for the existing field and the new alias. The existing field should be on the left side, and the new alias should be on the right side

TIP:Select Overwrite field values if you want your field alias to remove the alias field name when the original field does not exist or has no value, or replace the alias field name with the original field name when the alias field name already exists

If you must associate a single alias field name with multiple original field names
You should not design field alias configurations that apply a single alias field name to multiple original field names. If you must do this, set the field alias up as a calculated field that uses the coalesce function to create a new field that takes the value of one or more existing fields


Tags enable you to assign names to specific field and value combinations, including event type, host, source, or source type
Tags example

tag=router tag=SF NOT (tag=Building1)   

Field aliases enable you to normalize data from multiple sources. You can add multiple aliases to a field name or use these field aliases to normalize different field names. The use of Field aliases does not rename or remove the original field name

Tag field-value pairs in Search
Tag field-value pairs
In the Create Actions dialog box , define one or more tags for the field-value pair.
Values for the Tag(s) field must be separated by commas or spaces

Remove URL-encoded values from tag definitions
Under Field-value pair replace url=http%3A%2F%2Fdocs.splunk.com%2FDocumentation with the decoded version: url=http://docs.splunk.com/Documentation

Search for tagged field values
To search for a tag associated with a value in any field:
To search for a tag associated with a value in a specific field:

Use wildcards to search for tags
if you have multiple eventtype tags for various types of IP addresses, such as IP-src and IP-dest, you can search for all of them with


To find all hosts whose tags contain "local", search for the following tag


To search for the events with eventtypes that have no tags, you can search for the following Boolean expression

NOT tag::eventtype=*

Disable and delete tags

  • Under Actions, click open the arrow next to the field value.
  • Select Edit Tags to open the Create Tags window
  • In the Create Tags window, delete the tags that you want to disable from the Tags field.

Define and manage tags in Settings
Using the Tags page in Settings
The Tags page in Settings gives you three views of your tags. Each view is a different tag organization:

  • List by field value pair
  • List by tag name
  • All unique tag objects

Managing associations between field-value pairs and tag sets
The List by field-value pair page lists the field-value pairs that are associated with tag sets
Clone, Move, or Delete an association between a field-value pair and a set of tags

Managing associations between tags and sets of field-value pairs
The List by tag name page lists each of the tags that are in your Splunk platform deployment
Reviewing all unique field-value pair and tag combinations
The All unique tag objects page lists out all of the unique tag name, field-value pairing, and app combinations in your deployment

Disabling and deleting tags
Delete a tag with multiple field-value pair associations
Settings > Tags > List by tag name
Disable or delete the associations between a field-value pairing and a set of tags
Settings > Tags > List by field-value pair
Disable tags
Depending on your permissions to do so, you can also disable tag and field-value pair associations using the three Tags pages in Settings

Tag the host field
Add a tag to the host field in search results
Host names vs. tagging the host field
Each event can have only one host name, but multiple host tags

Tag event types
Tag event types to add information to your data. Any event type can have multiple tags

Add tags to event types using Splunk Web
Once you have tagged an event type, you can search for it in the search bar with the syntax tag::<field>=<tagname> or tag=<tagname>: