You can add these tags while you save a search as an event type and from the event type manager, located in Manager > Event types.
You can assign one or more tags to any extracted field (including event type, host, source, or source type).Įvent types can have one or more tags associated with them. To help you search more efficiently for these groups of fields, you can assign tags to their field values. In your data, you might have groups of events with related field values. Use tags to group and find similar events The findtypes command compares the events resulting from the search and groups those events that have similar punctuation and terms together.įor more information and examples, see "findtypes" in the search command reference. Pass any of your searches into the findtypes command to display suggestions for event types. User=suspicious eventtype=failed_login Use findtypes to discover new event types Your search might look something like this: Or you might want to investigate suspicious user activity. Now, you can quickly search for all the events that match this event type the same way you can search for any field, by specifying the event type in your search criteria.įor example, you might be interested in finding failed logins on specific host machines. Click Save to save your event type name.For more about tags see the section Use tags to group and find similar events below. You can add a list of tags that should be applied to the event type in the Tag(s) field. In this example the name is failed_login. In Save As Event Type window, give your event type a Name."failed login" OR "FAILED LOGIN" OR "Authentication failure" OR "Failed to authenticate user" The results of your search are events that share common characteristics, and you can give them a collective name.įor example, if you often search for failed logins on different host machines, you can save an event type for the events and call it failed_login: When you search your event data, you are essentially filtering out all unwanted events. Important: You cannot save a search pipeline as an event type that is, when saving a search as an event type, it cannot include a search command.
#Splunk transaction same event software
For more information about events, how Splunk software recognizes them, and what it does when it processes them for indexing, see the Overview of event processing topic in the Getting Data In manual.
#Splunk transaction same event how to
This topic discusses how to classify events (save a search as an event type) and search for tagged fields. You can search for these groups of events (for example, SSH logins) the same way you search for any field value. The names of the matching event types for an event are set on the event, in a multivalue field called eventtype.
An event type is a classification used to label and group events. An event is a single instance of data - a single log entry, for example. An event is not the same thing as an event type.
0 kommentar(er)
