Event Meta Data
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Event Meta Data
In addition to the data in each event, Splunk creates several meta data fields as it indexes them. Three of these are important to searching for information understanding search results.
Source
The file, stream, or other data input from which Splunk indexed an event. Typical source values are:
source::/var/log/messages
source::udp:514
For files, the value of source is usually some combination of pathname, filename, and extension such as /archive/server1/var/log/ or /var/log/messages . Files uploaded through Splunk's browser interface get the pathname of the directory monitor's sinkhole directory, so they'll look something like /opt/splunk/var/spool/splunk/file.ext .
Host
The hostname or IP address of the network device that originally generated the event. Typical host values are:
host::support09.splunk.com
host::web2
Hosts can be tagged, just like event types, although the info and tags can't be shared through Splunk Base. You can search for hosts by name, with a wildcard, or by tag. For example, a host named web2/ that has been tagged as production could be found with these searches:
host::web2
host::web*
host::production
Source Type
The kind of application, network or device data identified as coming from the source of the event. Typical source type values are:
sourcetype::linux_messages_syslog
sourcetype::websphere
Source types can be locally renamed for more accurate definition and distinction of your local data.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.