Splunk 3.4.2 is the latest version. Only use this page with older Splunk 2.0.x.
Splunk User Manual (Splunk v2.0)
Splunk Search Interface
Event Meta Data
Splunk populates several meta data values for each event. You can click on them to add or remove them from your search just as you do with other parts of the event.
Event Type and Tags
An event's type sorts it into a bucket of events with the exact same format. For example, all J2EE exceptions of the same severity level that come from a specific application and have the same stack trace will be assigned the same event type.
Splunk users can tag event types. A tag can be applied to multiple event types, and an event type can have multiple tags. Splunk users can upload or download tags for specific event types at Splunk Base to share community knowledge about specific types of events in their results. Tags let Splunk users and admins group event types into ad-hoc collections that can be searched or filtered together.
Splunk Professional Users
Splunk Professional users without Power User or Admin status can view and search event types and tags, and look them up at Splunk Base. They can't download global event types or tags to update the local Splunk index, though.
Timestamp
Splunk creates a timestamp out of every single event, either by extracting it from the event or by assigning a value. Timestamps are adjusted to the same time zone and displayed in a standard format.
Click on a timestamp to see only those results whose timestamps are within the minute after it. This is a great way to troubleshoot. You can broaden your Splunk using the timerange selector. To plot events by their timestamps, click Show Events by Time at the upper right of the results page.
Source Type
Splunk determines a type not only for each event, but for each source—that is, each file or stream from which it loads events. It can automatically recognize about forty different source types including linux_syslog_message and weblogic_stderr. If the source type ends in -u1, -u2 or a higher value, it means Splunk considers it "unknown." This usually means the source contains some idiosyncratic event format Splunk doesn't recognize by name, although it can tell one unknown type from another.
You can rename unknown source types with more meaningful names like snort_native. This gives you another effective value on which to search. See the section on Renaming Source Types for instructions.
You can also train Splunk to recognize your local data by sourcetype. See the section on Training Source Types in the Splunk Admin Manual.
Splunk Professional Users
Splunk Professional users without Power User or Admin status cannot edit source type names.
Host
The host value of an event is the name of the originating host that spawned the event, as opposed to the central reporting host whose syslog file stored it.
Source
The name of the file or stream from which the data was indexed. As an administrator you'll know when to sort by sources, or when to search for or exclude a specific source from your results.
No comments have been submitted.