This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Core fields are stored with every event and can be used in the search command. These fields are automatically extracted by Splunk.
Specifies a host to match. The result will return the host that originated the event, as determined by Splunk when it indexed the event being searched.
Example:
host::host.splunk.com
Specifies a field value to match either the file, FIFO, network port, database table, or other source from which the event was originally indexed.
Example:
source::/var/log/messages
Specifies a uniquely identified type of data in the source when it was indexed. Source types can be renamed.
Example:
sourcetype::apache