Topics

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

About fields

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

About fields

Fields are searchable name/value pairings in event data. Fields are distinguished from the indexed segments that make up all processed events in that fields have names and can be searched with those names.

For example, look at the following search:

host=fooSearch

In this search, host=foo is a way of indicating that you are searching for events with host fields that have values of foo. When you run this search, Splunk won't seek out events with different host field values. It also won't look for events containing other fields that share foo as a value. This means that this search gives you a more focused set of search results than you might get if you just put foo in the search bar.

As Splunk processes event data, first at index time, and again at search time, it automatically extracts and defines fields.

  • At index time Splunk extracts a small set of default fields for each event, including host, source, and sourcetype. Default fields are common to all events.
  • At search time Splunk identifies and extracts what can be a wide range of fields from the event data. It finds obvious field name/value pairs in each event, such as user id=jdoe or client ip=192.168.1.1, which it extracts as examples of user_id and client_ip fields.


Add and maintain custom fields

To fully utilize the power of Splunk IT search, however, you need to know how to add and maintain custom fields. Custom fields enable you to capture and track information that is unique and important to your needs. As a knowledge manager, you can define specialized sets of custom fields that are used by other Splunk users in your organization. This section of the Knowledge Manager manual discusses the various methods of field creation and maintenance and provides examples showing how this functionality can be used.

You'll learn how to:

Retrieved from "http://www.splunk.com/base/Documentation/3.4.10/Knowledge/Aboutfields"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.