An event type is essentially a simple search definition, with no pipes or commands. To define an event type, first make a search. Let's search for:
sourcetype="impl_splunk_gen" logger="AuthClass"
Let's say these events are login events. To make an event type, choose Event type... from the Create menu, as shown here:
This presents us with a dialog, where we can assign a Name string and optionally any Tags(s) to this event type, as shown in the following screenshot:
Let's name our event type login
.
We can now search for the same events using the event type:
eventtype=login
Event types can be used as part of another search, as follows:
eventtype=login loglevel=error
Event type definitions can also refer to other event types. For example, let's assume that all login events that have a loglevel
value of ERROR
are in fact failed logins.
We can now save this into another event type using the same steps as mentioned previously. Let's call it failed_login
. We can now...