You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
47 lines
2.2 KiB
47 lines
2.2 KiB
5 months ago
|
# Version 9.2.2.20240415
|
||
|
|
||
|
# This file contains possible settings and values you can use to configure
|
||
|
# event discovery through the search command "typelearner."
|
||
|
#
|
||
|
# There is an eventdiscoverer.conf in $SPLUNK_HOME/etc/system/default/. To set
|
||
|
# custom configurations, place an eventdiscoverer.conf in
|
||
|
# $SPLUNK_HOME/etc/system/local/. For examples, see
|
||
|
# eventdiscoverer.conf.example. You must restart Splunk to enable
|
||
|
# configurations.
|
||
|
#
|
||
|
# To learn more about configuration files (including precedence) please see the
|
||
|
# documentation located at
|
||
|
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
|
||
|
|
||
|
# GLOBAL SETTINGS
|
||
|
# Use the [default] stanza to define any global settings.
|
||
|
# * You can also define global settings outside of any stanza, at the top of
|
||
|
# the file.
|
||
|
# * Each conf file should have at most one default stanza. If there are
|
||
|
# multiple default stanzas, attributes are combined. In the case of
|
||
|
# multiple definitions of the same attribute, the last definition in the
|
||
|
# file wins.
|
||
|
# * If an attribute is defined at both the global level and in a specific
|
||
|
# stanza, the value in the specific stanza takes precedence.
|
||
|
|
||
|
ignored_keywords = <comma-separated list of terms>
|
||
|
* If you find that event types have terms you do not want considered (for
|
||
|
example, "mylaptopname"), add that term to this list.
|
||
|
* Terms in this list are never considered for defining an event type.
|
||
|
* For more details, see $SPLUNK_HOME/etc/system/default/eventdiscoverer.conf).
|
||
|
* Default = "sun, mon, tue,..."
|
||
|
|
||
|
ignored_fields = <comma-separated list of fields>
|
||
|
* Similar to ignored_keywords, except these are fields as defined in Splunk
|
||
|
instead of terms.
|
||
|
* Defaults include time-related fields that would not be useful for defining an
|
||
|
event type.
|
||
|
|
||
|
important_keywords = <comma-separated list of terms>
|
||
|
* When there are multiple possible phrases for generating an eventtype search,
|
||
|
those phrases with important_keyword terms are favored. For example,
|
||
|
"fatal error" would be preferred over "last message repeated", as "fatal" is
|
||
|
an important keyword.
|
||
|
* Default = "abort, abstract, accept,..."
|
||
|
* For the full default setting, see $SPLUNK_HOME/etc/system/default/eventdiscoverer.conf.
|