This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
A meta event is a single event created by Splunk by combining events that share common elements (elements are common values such as IP address or username that can be extracted fields for the events).
Splunk creates certain meta events automatically. For example, events with source type of sendmail automatically get a meta event created from combining the elements of "sender" and "recipient". This makes it easy to search for all events shared to the message transfer between the sender and recipient (without needing to deduce a message-ID and then search for that).
Meta events are kept in Splunk's metaevents index. You can find meta events by searching for elements that happen to have a common meta event, or you can add index::metaevents to your search.
Events can also be linked transitively - if events A and B have a common value, and events B and C have a different common value, then all three can be part of the same meta event.
Meta events are configured using the transforms.conf and props.conf files. Before manually modifying any configuration file, please read about bundle files.