This is not current Splunk documentation.
Splunk 3.4.2 is the latest version. Only use this page with older Splunk 2.0.x.
« Previous  |   Table of Contents   |   Next »

Splunk User Manual (Splunk v2.0)

Report Splunks

Learn Fields

If Splunk does not create the fields you expect from your results, you can train it to recognize fields using the shell command splunk learn fields on the Splunk server host.

# splunk learn fields

You will then be able to search for those fields using report::. For example, if you train Splunk to recognize the field _OriginatingIP, you can then run the following Splunk:

report::[select _OriginatingIP from resultstable]

No database involved

To be clear, Splunk has no relational database to drag on its performance. Instead, whenever a Splunk search contains report:: the Splunk server creates a short-lived resultstable at run time. The report:: operator can then make a SELECT statement on resultstable.

See Also

« Previous  |   Table of Contents   |   Next »

Comments

No comments have been submitted.

close

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink: