Documentation > Splunk > User Manual > About fields

User Manual

 


About this manual
About Splunk
Tutorial
Use the Splunk Command Line Interface (CLI)
Use form search
Use Live Tail
Use transaction search
Use tagging
Use reporting
Search reference
Field reference
Modifier reference
Search command reference
CLI command reference

About fields

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

About fields

Fields are searchable name and value pairs that make up segments of events. By default, Splunk extracts some fields from your events when you add data to your indexes. These default fields include the raw event data, timestamp information, index location, information about the origin and type of the event, and punctuation patterns contained in the event. Refer to the list of default fields for more information.

You can extract more fields while you index data or while you search and use the fields as arguments to refine or narrow your search. You can also build reports from search results based on the fields in your data.

Field naming

Field names are case sensitive. After you name and save your extracted field, Splunk:

For example:

Original field name What Splunk turns it into
12345my/wierd]field my_wierd_field
$my-field my_field

Note: Splunk does not recognize non-alphanumeric leading characters in extracted field names. If you are extracting a series of fields such as "123foo=bar" and "569foo=biz", the only field that will be extracted from this is "foo=bar".

Important: This applies to saving all extracted fields, regardless of the method (including search commands, the interactive field extractor, and transforms.conf).

Search with fields in Splunk Web

Splunk lists all extracted fields in a drop-down menu located above your search results in Splunk Web. You can add fields to your search by selecting them from this "Fields picker". When you filter your search with a field from the Fields picker, Splunk edits your search bar to include the selected field.

Alternately, you can type the field name and value directly into your search bar. A field name and value pair can be expressed in two ways: fieldname="fieldvalue" or fieldname=fieldvalue.

Note: The Fields picker contains field names that appear to be random words or groupings of characters; these are fields that Splunk attempts to extract based on commonly occurring patterns in the raw event data. You can select and rename these fields if you want.

Search for fields using wildcards

Use wildcards (*) to match multiple values of a field to a partial expression. These are all valid wildcard expressions:

Note: You can't use wildcards with the eventtype field, or with an aliased sourcetype field.

Comparison operators

Use comparison operators (=, !=, <, >, <=, >=) to exactly match a value, or a range of field values in any search command.

Note: You can only use <, >, <=, and >= with numerical field values.

Note: You can only use = and != with multi-valued fields.


Operator Example Effect
= field=foo Field values that exactly match "foo".
!= field!=foo Field values that don't exactly match "foo".
< field<x Numerical field values that are less than x.
> field>x Numerical field values that are greater than x.
<= field<=x Numerical field values that are less than and equal to x.
>= field>=x Numerical field values that are greater than and equal to x.

Multi-value fields

Multi-value fields allow Splunk to recognize multiple values in a single field value string. You can tell Splunk to parse multiple values from a field using regular expression delimiters you define in fields.conf. (Learn how to configure multi-value fields).

Use multi-value fields if you have an extracted field with more than one useful value in its value string. For example, use multi-value fields to parse multiple email addresses from a field to obtain the distinct count of the number of people an email was sent to:

If you have 3 events with the following 3 strings as values of the field To, multi-value fields allow you to count each name in the To field as individual values. 

event #1, 'To' = Ben, Jack, James, Joe
event #2, 'To' = Kate, George,
event #3, 'To' = David

If you have multi-value fields configured correctly, Splunk recognizes 7 values of To (each name). If no multi-value fields are configured, Splunk only sees 3 values for To.

The following commands support multi-value fields:chart, mvcombine, mvexpand, makemv, rare, stats, timechart, top, andtransaction.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.3/User/AboutFields"

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.