Data classification with event types
When you begin working with Splunk every day, you will quickly notice that many things are repeatable. In fact, while going through this book, you may have seen that search queries can easily get longer and more complex. One way to make things easier and shorten search queries is to create event types. Event types are not the same as events; an event is just a single instance of data. An event type is a grouping or classification of events that meet the same criteria.
If you took a break between chapters, you will probably want to open up Splunk again. Then you will execute a search command:
Open up Splunk.
Click on your Destinations app.
Type in this query:
SPL> index=main http_uri=/booking/confirmation http_status_code=200
This data will return successful booking confirmations. Now say you want to search for this the next day. Without any data classification, you'll have to type the same search string as previously. Instead of tedious repetition...