Tutorial: Event Types in 3.2
| Topics: | dev, tech, videos |
|---|---|
| Tags: | |
| Share: |
Hi, I’m David Carasso, perhaps you’ve seen my famous File Classifier Video. It’s the number one video at CurrentTV.
Below is a second screen capture video that I just made to describe Splunk’s new Event Typer. The Event Typer dynamically tags system events in custom, yet, universal ways. For example, I can say that for any event that happens on Sunday, that has ’status=Fatal’, and that has “sourcetype=weblogic”, to be dynmaically tagged as a “weekend_fatal_weblogic” event. Topics covered include: what is an event type; how to search, view, and count event types; creating an event type; creating an event-type template; and discovering event-types.
Yes, production value is what you’ve come to expect from a Carasso Production. That’s right 15 minutes of unscripted nerd talk. Now with a bonus 45 seconds of video as I type in an off-camera window. But I promise you’ll learn a few useful things you didn’t know.
EventTyperVideo (15 minutes of emacs magic)
October 26th, 2007 at 7:00 pm
Quick question about the event typer. Does it run at search time or index time? Also how much overhead is there to use this in a heavily loaded system?
Thanks, RJ
October 30th, 2007 at 10:58 am
The event-typer runs at search-time, allowing real-time modification of event-types to take affect immediately. It uses some advanced data structures to run thousands of event-types over tens of thousands of events per second. Splunk’s new gui-kernel interaction will only make this better, as initial results will come back immediately, while later results can lazily come in.
October 30th, 2007 at 2:41 pm
I believe “emacs magic” is defined as “being able to use emacs with only 10 fingers.”
October 30th, 2007 at 8:55 pm
Sweet. Search time is exactly what I wanted to hear. Now in a distributed deployment where does this need to run. On the ui/search server distributing the searches or the end boxes running the final search? Thanks, RJ
November 8th, 2007 at 11:20 am
RJ, the search language leaves it completely up to the search user which he’d prefer — having the event-typing on the individual distributed machines, or the final machine that returns results. The first scales better, but the second makes managing the event-types and other config more easier (they all live on the one server). We’ve talked about having “SplunkDaddy” to managing configs automatically across distributed machines, but it’s not there yet.