How fields work
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
How fields work
A field is any searchable name/value pair. A field is distinguished from the free-form indexed segments of an event in that fields are labeled and can be searched by label. For example, host=foo is a field with the name host and value foo. Search for any field name or specific value of a field.
The majority of fields are created at search time. Splunk picks out obvious name/value pairs in search results, such as user_id or client_ip. This dynamic extracted field list can be used in filters and reports. Configure Splunk to recognize new fields.
When creating field names, Splunk uses the following rules:
1. All characters that are not in a-z,A-Z,0-9 ranges are replaced with an underscore (_).
2. All leading underscores are removed (since they're reserved for internal variables).
This is applied to all extracted fields whether they are automatically extracted by, or custom configured.
Add custom fields
Define your own custom fields in Splunk Web with interactive field extraction. Or create fields using configuration files. Use props.conf and transforms.conf.
To make new fields via configuration files, use the following process:
1. Determine a pattern to identify the field in the event.
2. Write a regular expression to extract the field from the event.
3. Edit your custom props.conf and transforms.conf files. (Note: DO NOT edit the copy in $SPLUNK_HOME/etc/system/default/.)
4. In props.conf, specify either the source, source type or host containing the events and assign a name to identify the transform in transforms.conf.
5. In transforms.conf, create the named transform stanza, and supply the regex to extract the field.
Disable automatically extracted fields
Splunk automatically extracts fields from your data and adds them to the Fields drop-down menu in Splunk Web. Disable this feature via props.conf. You can turn off extracted fields for a specific source, sourcetype or host. Add the attribute/value pair KV_MODE = none for the appropriate [<spec>] in $SPLUNK_HOME/etc/system/local/props.conf:
[<spec>] KV_MODE = none
<spec> can be:
-
<sourcetype>, the sourcetype of an event -
host::<host>, where<host>is the host for an event -
source::<source>, where<source>is the source for an event
Indexed fields
Indexed fields are captured as events are processed and indexed by Splunk. Splunk's input processor extracts information on where the event came from, what type of event it is, source type, etc. In general, indexed fields are not recommend unless you notice a significant impact on search performance with your extracted fields. This may happen if you search for expressions like foo!="bar" or NOT foo="bar" and the field foo nearly always takes on the value bar. Also, you may want to use indexed fields if the value of the field exists outside of the field more often than not. For example, if you commonly search for foo="1", but 1 occurs in many events that do not have foo="1", you may want to index foo.
Fields extracted at index time have a negative impact on indexing performance. They may also affect search times, as each indexed field increases the size of the searchable index. Indexed fields are also less flexible -- if you want to make changes to indexed fields you must re-index the entire dataset.
To configure indexed fields, see this page. You may also configure fields.conf to set additional processing information. Read more about how to configure fields.conf.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.