Event types in Splunk are a way of categorizing common types of events in your data in order to make them easier to search and report on. One advantage of using event types is that they can assist in applying a common classification to similar events. Event types essentially turn chunks of search criteria into field/value pairs. Tags help you search groups of event data more efficiently and can be assigned to any field/value combination, including event types.
For example, Windows logon events could be given an event type of windows_logon
, Unix logon events be given an event type of unix_logon
, and VPN logon events could be given an event type of vpn_logon
. We could then tag these three event types with a tag of logon_event
. A simple search for tag="logon_event"
would then search across the Windows, Unix, and VPN source types and return all the logon events. Alternatively, if we want to search only for Windows logon events, we will search for eventtype=windows_logon
.
This recipe will show how to define event types and tags for use with the sample data. Specifically, you will define an event type for successful web server events.
To step through this recipe, you will need a running Splunk server with the operational intelligence sample data loaded. No other prerequisites are required.
Follow the given steps to define an event type and associated tag:
Log in to your Splunk server.
From the home launcher in the top right-hand corner, click on the Settings menu item and then click on the Event types link.
In the Destination App drop-down list, select search. Enter
HttpRequest-Success
in the Name field. In the Search string text area, entersourcetype=access_combined status=2*
. In the Tag(s) field, enterwebserver
, and then click on Save.The event type is now created. To verify that this worked, you should now be able to search by both the event type and the tag that you created. Navigate to the Splunk search screen in the Search & Reporting app and enter the following search over the Last 60 minutes time range to verify that the
eventtype
is working:eventtype="HttpRequest-Success"
Enter the following search over the Last 60 minutes time range to verify that the tag is working:
tag="webserver"
Event types are applied to events at search time and introduce an eventtype
field with user-defined values that can be used to quickly sift through large amounts of data. An event type is essentially a Splunk search string that is applied against each event to see if there is a match. If the event type search matches the event, the eventtype
field is added, with the value of the field being the user-defined name for that event type.
The common tag value allows for a grouping of event types. If multiple event types had the same tag, then your Splunk search could just search for that particular tag value, instead of needing to list out each individual event type value.
Event types can be added, modified, and deleted at any time without the need to change or reindex your data, as they are applied at search time.
Event types are stored in eventtypes.conf
in either the $SPLUNK_HOME/etc/system/local/
or a custom app directory.
While adding of event types and tags can be done through the web interface of Splunk, as outlined in this recipe, there are other approaches to add them in bulk quickly and allow for customization of the many configuration options that Splunk provides.
Event types in Splunk can be manually added to the eventtypes.conf
configuration files. Edit or create $SPLUNK_HOME/etc/system/local/eventtypes.conf
and add your event type. You will need to restart Splunk after this:
[HttpRequest-Success] search = status=2*
Tags in Splunk can be manually added to the tags.conf
configuration files. Edit or create $SPLUNK_HOME/etc/system/local/tags.conf
and add your tag. You will need to restart Splunk after this:
[eventtype=HttpRequest-Success] webserver = enabled
Also refer to the following recipes for more information:
The Loading the sample data for this book recipe
The Defining field extractions recipe
Tip
Downloading the example code
You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
You can download the code files by following these steps:
Log in or register to our website using your e-mail address and password.
Hover the mouse pointer on the SUPPORT tab at the top.
Click on Code Downloads & Errata.
Enter the name of the book in the Search box.
Select the book for which you're looking to download the code files.
Choose from the drop-down menu where you purchased this book from.
Click on Code Download.
You can also download the code files by clicking on the Code Files button on the book's webpage at the Packt Publishing website. This page can be accessed by entering the book's name in the Search box. Please note that you need to be logged in to your Packt account.
Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:
WinRAR / 7-Zip for Windows
Zipeg / iZip / UnRarX for Mac
7-Zip / PeaZip for Linux
The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Splunk-Operational-Intelligence-Cookbook-Second-Edition. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!