How meta events work
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
How meta events work
A meta event is a single event created by Splunk by combining events that share common elements (elements are common values such as IP address or username that can be extracted fields for the events).
Splunk creates certain meta events automatically. For example, events with source type of sendmail automatically get a meta event created from combining the elements of "sender" and "recipient". This makes it easy to search for all events shared to the message transfer between the sender and recipient (without needing to deduce a message-ID and then search for that).
Meta events are kept in Splunk's metaevents index. You can find meta events by searching for elements that happen to have a common meta event, or you can add index::metaevents to your search.
Transitive meta events
Events can also be linked transitively - if events A and B have a common value, and events B and C have a different common value, then all three can be part of the same meta event.
Configuration files for meta events
Meta events are configured using the transforms.conf and props.conf files. Before manually modifying any configuration file, please read about bundle files.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.