This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Fields are searchable name and value pairs that make up segments of events. By default, Splunk extracts some fields from your events when you add data to your indexes. These default fields include the raw event data, timestamp information, index location, information about the origin and type of the event, and punctuation patterns contained in the event. Refer to the list of default fields for more information.
You can extract more fields while you index data or while you search and use the fields as arguments to refine or narrow your search. You can also build reports from search results based on the fields in your data.
Field names are case sensitive. After you name and save your extracted field, Splunk:
For example:
| Original field name | What Splunk turns it into |
|---|---|
| 12345my/wierd]field | my_wierd_field |
| $my-field | my_field |
Note: Splunk does not recognize non-alphanumeric leading characters in extracted field names. If you are extracting a series of fields such as "123foo=bar" and "569foo=biz", the only field that will be extracted from this is "foo=bar".
Important: This applies to saving all extracted fields, regardless of the method (including search commands, the interactive field extractor, and transforms.conf).
Splunk lists all extracted fields in a drop-down menu located above your search results in Splunk Web. You can add fields to your search by selecting them from this "Fields picker". When you filter your search with a field from the Fields picker, Splunk edits your search bar to include the selected field.
Alternately, you can type the field name and value directly into your search bar. A field name and value pair can be expressed in two ways: fieldname="fieldvalue" or fieldname=fieldvalue.
Note: The Fields picker contains field names that appear to be random words or groupings of characters; these are fields that Splunk attempts to extract based on commonly occurring patterns in the raw event data. You can select and rename these fields if you want.
Use wildcards (*) to match multiple values of a field to a partial expression. These are all valid wildcard expressions:
Note: You can't use wildcards with the eventtype field, or with an aliased sourcetype field.
Use comparison operators (=, !=, <, >, <=, >=) to exactly match a value, or a range of field values in any search command.
Note: You can only use <, >, <=, and >= with numerical field values.
Note: You can only use = and != with multi-valued fields.
| Operator | Example | Effect |
|---|---|---|
| = | field=foo | Field values that exactly match "foo". |
| != | field!=foo | Field values that don't exactly match "foo". |
| < | field<x | Numerical field values that are less than x. |
| > | field>x | Numerical field values that are greater than x. |
| <= | field<=x | Numerical field values that are less than and equal to x. |
| >= | field>=x | Numerical field values that are greater than and equal to x. |
Multi-value fields allow Splunk to recognize multiple values in a single field value string. You can tell Splunk to parse multiple values from a field using regular expression delimiters you define in fields.conf. (Learn how to configure multi-value fields).
Use multi-value fields if you have an extracted field with more than one useful value in its value string. For example, use multi-value fields to parse multiple email addresses from a field to obtain the distinct count of the number of people an email was sent to:
If you have 3 events with the following 3 strings as values of the field To, multi-value fields allow you to count each name in the To field as individual values.
event #1, 'To' = Ben, Jack, James, Joe event #2, 'To' = Kate, George, event #3, 'To' = David
If you have multi-value fields configured correctly, Splunk recognizes 7 values of To (each name). If no multi-value fields are configured, Splunk only sees 3 values for To.
The following commands support multi-value fields:chart, mvcombine, mvexpand, makemv, rare, stats, timechart, top, andtransaction.