When working with Splunk daily, you will find many of the tasks and searches you run are repeated on a periodic basis. As shown earlier, storing field extraction logic in a single place allows it to be reused in the future. Another way to make things easier and also shorten searches is to create Event Types. Event Types are not the same as events; an event is just a single instance of data. An Event Type is a grouping or classification of events meeting the same search criteria.
If you took a break between chapters, you will probably want to open up Splunk again. Then, execute a search command:
- Log in to the Splunk portal
- Click on your Destinations app
- Type this search in the search bar:
SPL> index=main http_uri=/booking/confirmation http_status_code=200
This search will return events representing successful booking confirmations. In the overall set of requirements, successful bookings is something that most likely will want to be known in a variety of ways, over time. Without any data classification, you'll have to type the same search string as previously entered. Instead of tedious repetition, you can simplify your work by saving the search command as an Event Type. Follow these steps to create some Event Types:
- In the Save As dropdown, select Event Type:
- Label this new Event Type good_bookings.
- Select a color that is best suited for the type of event; in this case, we will select green.
- Select 5 as the priority. Priority here determines which style wins if there is more than one Event Type. 1 is the highest and 10 is the lowest.
- Use the following screenshot as a guide, then click on Save:
Now, let's create an Event Type for bad bookings:
- Modify the previous search from http_status_code=200 to http_status_code=500. The new search is as shown here:
SPL> index=main http_uri=/booking/confirmation http_status_code=500
- Save this as an Event Type as well. Name it bad_bookings and opt for the color to be red, leaving Priority as 5:
We have created two Event Types. Let's see them in action:
- Enter the following search:
SPL> eventtype=*bookings
- The results should appear similar to the following screenshot. Notice that the search results have now been colored based on the assigned Event Type, making it easy to spot either of the two types of booking. You can also search for eventtype=good_bookings or eventtype=bad_bookings to narrow the search results:
Since the eventtype is now part of the search, you can add more search logic using piped commands, for example:
SPL> eventtype=*bookings | stats count by eventtype
Create a few more Event Types using the following table as a guide. After modifying the search command, you must execute the search for the Event Type to be saved accurately. Set all Priorities to 5 when creating the four Event Types as given in the following table:
| Event Type | Search command | Color |
| good_payment | index=main http_uri=/booking/payment http_status_code=200 | green |
| bad_payment | index=main http_uri=/booking/payment http_status_code=500 | red |
| destination_details | index=main http_uri=/destination/*/details | blue |
| bad_logins | index=main http_uri=/auth http_status_code=500 | purple |