Documentation > Splunk > User Manual > Core search fields

User Manual

 


About Splunk
Tutorial
Reference

Core search fields

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Core search fields

Core fields are stored with every event and can be used in the search command. These fields are automatically extracted by Splunk.


host

Specifies a host to match. The result will return the host that originated the event, as determined by Splunk when it indexed the event being searched.


Example: 


host::host.splunk.com

source

Specifies a field value to match either the file, FIFO, network port, database table, or other source from which the event was originally indexed.


Example: 


source::/var/log/messages

sourcetype

Specifies a uniquely identified type of data in the source when it was indexed. Source types can be renamed.


Example: 


sourcetype::apache
Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.0/User/CoreSearchFields"

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.