All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lousy eventtypes in Unix add-on: only Unix uses *.log files?

satyenshah
Path Finder
‎02-28-2019 02:10 PM

The Splunk Add-on for Unix and Linux (v6.0.1, the current version) contains a couple of curiously broad eventtype definitions in default/eventtypes.conf:

[nix-all-logs]
search = source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

[nix_errors]
search = (NOT sourcetype=stash) error OR critical OR failure OR fail OR failed OR fatal

Which say that any Splunk search result where the data came from a file with extension ".log", or any search query containing the search term "error", will tag the results with a "nix" eventtype. Even if you are searching IIS or firewall logs, it's tagged nix, which is comical. This raises two questions:

1) what are the implications of the eventtype on day-to-day use? Is the eventtype tag really relevant, or is it legacy from earlier versions of Splunk?
2) has anybody written/deployed a tighter filter for [nix-all-logs] and [nix-errors] than the built-in ones? I imagine just adding 'NOT vendor=Microsoft' would make sense, but I'm sure there's better logic.

Reply

lakshman239
Influencer
‎03-01-2019 03:27 AM

For 1 - eventtypes and tags are the foundations for datamodels. They are very helpful when you want to group events and tag them. https://docs.splunk.com/Documentation/Splunk/7.2.4/Knowledge/Abouteventtypes

For 2 - If you want to create your own version/improve eventtypes, you can create one and store them in local/eventtypes.conf and local/tags.conf for your use case.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...