Splunk Event Types

In this section, we are going to learn about the Event types in the Splunk. We will also learn about the Event types and the search time sequences, search time operation order, how event type works, event type tags and saving a event type.

Event Types

Event forms are a framework for categorizing the data to help us make sense of it. Event types allow us to sift through enormous amounts of data, find similar patterns, and create alerts and reports.

Note: It is not recommended to use the event forms as a short cut for the quest. If we want a portion of a search shortened, using a search macro is much better. Search macros are more versatile in what they can express, they can include other search commands and not just base query words, they can be parameterized, and when events are retrieved do not incur costs. This can also be easier to handle since a single search macro can take various types of events.

Event types and the search-time sequence

When we run a search, Splunk software runs multiple operations to derive objects of knowledge and apply them to events returned by the search. Splunk program performs these operations in a fixed sequence.

Search-time operations order

Types of events come seventh in the order of search-time activities, before tags but after lookups.

Restrictions

Splunk software processes the types of events first through priority score and then through ASCII sort order. Search strings defining event types cannot reference tags, because event types are always processed before tags and added to events.

How event types work

Any event that may be returned by that search becomes associated with that type of event. Say we have that search, for example:

sourcetype=access_combined status=200 action=purchase

If we save that search as an event type named successful purchase, eventtype = successful_purchase will be added at search time to any event that can be returned by that search. This happens even though we're looking for something entirely different.

Note: Using event types will consume a lot of data, as every search attempt to associate events with some known form of event. As more types of events are defined, the cost of performing searches increases. Using the command.search.typer parameter, we can examine the execution costs of search commands. See inspector for search job.

Use eventtype = successful­_purchase as a search term to create a search that works for events that match that type of event.

A single event can match different types of events. Eventtype acts as a multi-value field when an event matches two or more types of events.

Significant event type definition restrictions

We cannot base the form of an occurrence on a quest to:

  • Includes a pipe operatorafter a simple search.
  • Includes a sub search.
  • It is specified by a simple search, using the savedsearch command to reference the name of a text. For example, if we have a report named failed_login_search, this search should not be used to define the type of event: savedsearch failed_login_search. In this case, then we can use the search string, which defines a failed login search as the form of the event description.

The last point is not a rigid restriction but a best practice. We want to avoid situations where another user modifies the search string underneath failed_login_search at a future date, possibly in a way that breaks the type of event. If we use actual search strings in its definition, we have more control over the ongoing validity of the event type.

Note: Use a search macro if we want to use the event forms as a way to cut our quest short.

Creating event types

The easiest way of generating a new form of event is through Splunk Internet. Click Save As and select Type of Event after we run a search that would make a good type of event. This opens the Save as Type Event window, where we can include the name of the event form and optionally add tags to it. See Identifying and keeping event types in Splunk Web for more detail on saving searches as event types.

Event type tags

Event types can associate them with one or more tags. These tags can be applied when saving a search as an event form and from the event type manager, located in Settings > Event types. From this window's list of event types, choose the one we wish to edit.

Label types of events to group the data into categories. Multiple tags can be given per case. In Splunk Web, we can tag an event type, or configure it in tags.conf. For more information regarding the tagging of the event type.

Event type tags example 1

By giving them more descriptive names, use event type tags to track abstract field values such as HTTP access logs, IP addresses, or ID numbers. Add tags to type of event by going to Settings > Types of events. In this menu, pick the type of event from the list of event types.

After adding tags to our types of events, search for them in the same way we search for any tag.

Let's say we saved a search for page not found as the status=404 event type and then saved a search for failed authentication as the status=403 event type of event. If we tagged any of these event types with an HTTP client error, we can recover all events of any of those event types by using the search:

tag::eventtype=HTTP client error

Event type tags example 2

The common information model (CIM) add-on for the Splunk platform usually uses event type tags to normalize newly indexed data from an unfamiliar source type. We may use tags to identify various types of events within a single source of data.

We can apply CIM-compliant tags to our data.

  1. Select Settings > Data Models from the Splunk Web pane. Find the data model dataset to which we want our data to be mapped and then mark its tags. For example, in the Performance data model, the cpu_load_percent object has the following tags to it:
    tag = performance
    tag = cpu
  2. Creating the appropriate event types in Splunk Web's Events type manager by going to Settings > Event types. We can also directly access conf file.
  3. Create corresponding tags in Splunk Web. Select Settings > Types of events, locate the type of event we wish to tag and click on its name. We can also edit the file directly to conf.

Defines types of events on Splunk Web

A type of event describes a search returning a specific type of event or a valuable set of events. Any event that may be returned by that search becomes associated with that type of event. Say we have that search, for example:

sourcetype=access_combined status=200 action=purchase

If we save the search as an event type called successful_purchase, event type = successful_purchase will be applied at search time to any event that may be returned by that search. This happens even though we're looking for something entirely different.

And later, if we want to create a search that works for events that suit the type of event, include in the search string eventtype = successful_purchase.

A single event can match different types of events. Eventtype functions as a multivalue field when an event matches two or more forms of event.

Save a search that we ran as a form of event.

We can save that search as an event type when we execute a search. Types of events typically reflect searches that return a specific event or return a useful variety of events.

Once we build an event type, in $SPLUNK_HOME / etc / users/<your-username>/<app>/local/, the event type description is applied to eventtypes.conf, where < app > is the current device context. The Splunk framework will shift the event type to $SPLUNK_HOME / etc / apps/<App>/local/ if we change the permissions on the event type to make it accessible to all users (either in the app, or globally for all apps).

Save search as a type of event.

  1. In the Search view, run a search.
  2. Click on Save Asand select Event Type.
  3. Give the event type a unique Name.
  4. (Optional) Add one or more Tag(s), which are separated by a comma.
    We can apply the same tag to types of events that produce similar results. A search that is only on that tag returns the set of events that belong collectively to certain types of events.
  5. (Optional) Select a Color of the Event.
    That causes a band of color to appear for any event that fits this type of event at the start of the listing. For instance, this event matches a form of event that has a purple color.
    Splunk Event Types
    By editing it in Settings, we can change the color of an event type (or entirely delete its color).
  6. (Optional) Give the event type a Priority.
    Priority affects displaying events that match two or more types of events. 1 It is the best priority, and the worst is 10.
  7. Click Saveto save the new event type.
    We can access the list of event types we and other users generated in Settings > Categories of Events.

Any type of event we generate with this method will also appear in Settings on the Event Types listing tab. The event form can be changed on the Event Types listing tab.






Latest Courses