Configure event type templates
Event type templates create event types at search time. If you have Splunk Enterprise, you define event type templates in eventtypes.conf. Edit eventtypes.conf in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/.
For more information on configuration files in general, see "About configuration files" in the Admin manual.
Event type template configuration
Event type templates use a field name surrounded by percent characters to create event types at search time where the %$FIELD% value is substituted into the name of the event type.
[$NAME-%$FIELD%]
$SEARCH_QUERY
So if the search query in the template returns an event where %$FIELD%=bar, an event type titled $NAME-bar is created for that event.
Example
[cisco-%code%]
search = cisco
If a search on "cisco" returns an event that has code=432, Splunk Enterprise creates an event type titled "cisco-432".