About events

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

About events

Events are records of activity within log files, and they are what is primarily indexed by Splunk. They provide information about the systems that have produced these log files. We often refer to the output of the indexing process as "event data."

Here's a sample event:

172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953

When Splunk indexes events, it:

Identifies event timestamps (and applies timestamps to events if they do not exist).
Performs event segmentation.
Recognizes multi-line events and performs linebreaking as appropriate.
Extracts a set of useful standard fields such as host, source, and sourcetype.

In this topic we'll provide brief overviews of these activities and show you where to go for more information about them.

For an overview of the Splunk indexing process, see the "Indexing and event processing" chapter of the Admin manual.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.4.10/Knowledge/Aboutevents"

This documentation applies to the following versions of Splunk: 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Knowledge Manager Manual

About events

About events

Comments