This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6
An event is an entry in a log file produced by a software application. For example, this is an event in a Web activity log:
172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953
The part of this example that includes the string 01/Jul/2005:2:05:27 -0700 is the timestamp.
When Splunk processes events (called indexing), it pulls out and identifies timestamps (and adds them if they are missing), handles multi-line events as appropriate, performs event segmentation, and automatically extracts a useful set of standard fields (host, source, and type of source).
For another view of events, timestamping, and how Splunk breaks up events with segmentation, refer to "About events" in the Knowledge Manager Manual.
As you use Splunk, you search for events you're interested in, and then use Splunk's extensive statistical and reporting tools to identify problems and trends in your environment. You can save and reuse the resulting knowledge as saved searches, create detailed graphical reports, and tag specific events and sections of events so you can find them easily in your data set as it grows.
Read on for more information about what happens during the indexing process, what parts of the indexing process you can customize and adjust, and about timestamping in this and the next chapter.