Splunk 简明教程
Splunk - Event Types
在 Splunk 搜索中,我们可以根据某些条件从数据集设计自己的事件。例如,我们仅搜索 http 状态代码为 200 的事件。此事件现在可以保存为事件类型,其中用户定义的名称为 status200 ,并将这个事件名称用作未来搜索的一部分。
In Splunk search, we can design our own events from a dataset based on certain criteria. For example, we search for only the events which have a http status code of 200. This event now can be saved as an event type with a user defined name as status200 and use this event name as part of future searches.
简而言之,事件类型表示返回特定类型事件或有用事件集合的搜索。搜索返回的可以个事件均与该事件类型建立关联。
In short, an event type represents a search that returns a specific type of event or a useful collection of events. Every event that can be returned by the search gets an association with that event type.
Creating Event Type
在确定搜索条件后,有两种方法可以创建事件类型。一种是 run 搜索,然后将其保存为事件类型。另一种是 add a new Event Type from the settings tab 。我们将在本节中了解创建这两个方法。
There are two ways to create an event type after we have decided the search criteria. One is to run a search and then save it as an Event Type. Another is to add a new Event Type from the settings tab. We will see both the ways of creating it in this section.
Using a Search
考虑条件为成功的 http 状态值为 200 且事件在周三运行的事件的搜索。在运行搜索查询后,我们可以选择 Save As 选项将查询保存为事件类型。
Consider the search for the events which have the criteria of successful http status value of 200 and the event type run on a Wednesday. After running the search query, we can choose Save As option to save the query as an Event Type.
下一个屏幕提示输入事件类型的名称,选择一个标记(此为可选),然后选择一种颜色来突出显示事件。优先级选项决定了在两个或多个事件类型与同一事件匹配的情况下,首先显示哪个事件类型。
The next screen prompts to give a name for the Event Type, choose a Tag which is optional and then choose a colour with which the events will be highlighted. The priority option decides which event type will be displayed first in case two or more event types match the same event.
最后,我们可以通过转到 Settings → Event Types 选项来查看已创建的事件类型。
Finally, we can see the Event Type has been created by going to the Settings → Event Types option.
Using New Event Type
创建新事件类型的另一个选项是使用 Settings → Event Types 选项,如下所示,其中我们可以添加一个新事件类型 −
The other option to create a new Event Type is to use the Settings → Event Types option as shown below where we can add a new Event Type −
单击按钮 New Event Type 后,我们将获得以下屏幕,以添加与上一部分中相同的查询。
On clicking the button New Event Type we get the following screen to add the same query as in the previous section.
Viewing the Event Type
要查看我们刚才创建的事件,可以在搜索框中编写以下搜索查询,并且可以看到结果事件以及我们为事件类型选择的颜色。
To view the event we just created above, we can write the below search query in the search box and we can see the resulting events along with the colour we have chosen for the event type.
Using the Event Type
我们可以将 Event 类型与其他查询一同使用。此处,我们从 Event 类型指定了一些部分标准,结果中会混有各种事件,显示结果中带有颜色和不带有颜色的事件。
We can use the Event type along with other queries. Here we specify some partial criteria from the Event Type and the result is a mix of events which shows the coloured and non-coloured events in the result.
