Databases Reference
In-Depth Information
This will now give us a very useful report, shown as follows:
Think about the ways that these event types are being used in this seemingly
simple query:
•
Search
: An event type definition is defined as a search, so it seems only
natural that you can search for events that match an event type definition.
•
Categorization
: As events are retrieved, if the events match the definition
of
any
event type, those events will have that event type's name added to
the
eventtype
field.
•
Tagging
: Since event types can also be tagged, tag values assigned to certain
event types can be used for both search and categorization. This is extremely
powerful for assigning common tags to varied sets of results; for instance,
events that belong in a report or should cause an alert.
For clarity, let's unroll this query to see what Splunk is essentially doing under the
covers. The query is expanded from the tag and event type definitions, as follows:
•
tag::eventtype="actionable"
•
eventtype="failed_admin_login"
•
eventtype="failed_login" tag::user="admin"
•
(eventtype=login loglevel=error) tag::user="admin"
•
((sourcetype="impl_splunk_gen" logger="AuthClass")
loglevel=error) tag::user="admin"
•
((sourcetype="impl_splunk_gen" logger="AuthClass")
loglevel=error) (user=linda OR user=jacky)
Search WWH ::
Custom Search