All Apps and Add-ons

Lousy eventtypes in Unix add-on: only Unix uses *.log files?

Path Finder

The Splunk Add-on for Unix and Linux (v6.0.1, the current version) contains a couple of curiously broad eventtype definitions in default/eventtypes.conf:

search = source="*.log" OR source="*.log.*" OR source="*/log/*" OR source="/var/adm/*" OR source="access*" OR source="*error*" OR sourcetype="syslo*" NOT source=usersWithLoginPrivs NOT sourcetype=lastlog

search = (NOT sourcetype=stash) error OR critical OR failure OR fail OR failed OR fatal

Which say that any Splunk search result where the data came from a file with extension ".log", or any search query containing the search term "error", will tag the results with a "nix" eventtype. Even if you are searching IIS or firewall logs, it's tagged nix, which is comical. This raises two questions:

1) what are the implications of the eventtype on day-to-day use? Is the eventtype tag really relevant, or is it legacy from earlier versions of Splunk?
2) has anybody written/deployed a tighter filter for [nix-all-logs] and [nix-errors] than the built-in ones? I imagine just adding 'NOT vendor=Microsoft' would make sense, but I'm sure there's better logic.


For 1 - eventtypes and tags are the foundations for datamodels. They are very helpful when you want to group events and tag them.

For 2 - If you want to create your own version/improve eventtypes, you can create one and store them in local/eventtypes.conf and local/tags.conf for your use case.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...