This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
An event is a single record of activity within a log file. An event typically includes a timestamp (for more information about timestamp configuration, read how timestamps work). Events also provide information about the system that Splunk is monitoring.
Here's a sample event:
172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953
When Splunk receives events to index, all it tries to do by default is find the beginning, end, and timestamp for each event. You can configure it to do a lot more than that by following the instructions in the topics in this section.
An event is not the same thing as an event type. An event is a single instances of data -- a single log entry, for example. You use event types to classify events so that you can search more your data effectively.
Some events are made up of more than one line. Splunk handles most of these kinds of events correctly by default, but you may encounter some examples of multi-line events that Splunk doesn't recognize properly by default. You can change Splunk's default line-breaking behavior in multi-line events.
Splunk breaks lines over 10,000 bytes into multiple lines of 10,000 bytes each when indexing them. It appends the field meta::truncated to the end of each truncated section. However, Splunk still groups these lines into a single event.
Segments after the first 100,000 bytes of a very long line are searchable, but Splunk does not display them in search results. It only displays the first 100,000 bytes.
Splunk only displays the first 1,000 individual segments of an event as segments separated by whitespace and highlighted on mouseover. It displays the rest of the event as raw text without interactive formatting.