Meta Events

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Example

Meta Events

Meta events are events created by the Splunk Server from one or more real events it indexes. The best example is a sendmail transaction, which can consist of dozens of events linked by a common transaction ID number. Events can also be linked transitively - if events A and B have a common value, and events B and C have a different common value, then all three can be part of the same meta event.

Example

index::metaevents

This search will show you the Splunk Server's self-generated index of meta events created from sendmail transactions fed to the index. Each meta event is based around a unique sendmail qid value, which indicates one unique email transaction. By creating meta events around qid values, Splunk lets sendmail admins search by transaction rather than by individual log file entries.

Meta events

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.6/User/MetaEvents"

« Event Meta Data Speed Splunking »

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

User Manual

Meta Events

Contents

Meta Events

Example

Comments