The version of the database is not the version that you requested. There are limits in place on the maximum result size that can be returned by a single query.

Download topic as PDF Classify and group similar events An event is not the same thing as an event type. An event is a single instance of data — a single log entry, for example.

An event type is a classification used to label and group events. The names of the matching event types for an event are set on the event, in a multivalue field called eventtype.

You can search for these groups of events for example, SSH logins the same way you search for any field value.

This topic discusses how to classify events save a search as an event type and search for tagged fields. For more information about events, how Splunk software recognizes them, and what it does when it processes them for indexing, see the Overview of event processing topic in the Getting Data In manual.

You cannot save a search pipeline as an event type; that is, when saving a search as an event type, it cannot include a search command.

Save a search as a new event type When you search your event data, you are essentially filtering out all unwanted events. The results of your search are events that share common characteristics, and you can give them a collective name.

Click Save As and select Event Type. You can add a list of tags that should be applied to the event type in the Tag s field. For more about tags see the section Use tags to group and find similar events below. Click Save to save your event type name.

Now, you can quickly search for all the events that match this event type the same way you can search for any field, by specifying the event type in your search criteria.

For example, you might be interested in finding failed logins on specific host machines. Your search might look something like this: By default, typelearner compares the punctuation of the events resulting from the search, grouping those that have similar punctuation and terms together.

You can specify a different field for Splunk software to group the events; typelearner works the same way with any field.

The result is a set of events from your search results that have this field and phrases in common. For more information and examples, see "typelearner" in the search command reference. Use tags to group and find similar events In your data, you might have groups of events with related field values.

To help you search more efficiently for these groups of fields, you can assign tags to their field values. You can assign one or more tags to any extracted field including event type, host, source, or source type. Event types can have one or more tags associated with them.

From the list of event types in this window, select the one you want to edit. After you add tags to your event types, you can search for them in the same way you search for any tag.

If you tagged both of these event types with allow, all events of either of those event types can be retrieved by using the search: You can also alias field names. Search for tagged field values There are two ways to search for tags.

