List of default fields
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
List of default fields
The following table lists some of the fields that Splunk indexes by default at index time. Fields that begin with an underscore, e.g. _fieldname, are internal fields.
| Description | Fields |
|---|---|
| These are internal fields that contain general information (raw data, timestamp information, and index locations) about events in Splunk. | _index, _raw, _time |
| These are fields that contain information about where an event is from, what type it is, and how many lines it contains. These fields are indexed and added to the Fields menu by default. | eventtype, host, linecount, punct, source, sourcetype |
| These are fields that provide additional searchable granularity to event timestamps.
Note: Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that. | date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone, timestamp |
Important: With version 3.2, the metaevents index was deprecated in favor of transactions. For more information, refer to the transaction command.
_index
The _index field contains the name of the index in which a given event is indexed. Specify an index to use in your searches by using: index="name_of_index". You MUST specify the index you want to search in before using any terms, modifiers, or other fields to narrow your search (Example: index="main" source=localhost .
Note: By default, all events are indexed in the main index (_index="main").
Example
The following example searches for events with ".php" in the main (default index).
Splunk Web:
index="main" *.php _raw
The _raw field contains the original raw data of an event. Splunk's search command uses the data in _raw when performing searches and data extraction.
You can't use _raw as an argument when using the search command; use _raw in data-processing commands only.
Example
The following example gets sendmail events that contain an IP address that starts with "10".
Splunk Web:
eventtype=sendmail | regex _raw=*10.\d\d\d\.\d\d\d\.\d\d\d\*_time
The _time field contains an event's timestamp expressed in Unix time. Splunk uses _time to create the event timeline in Splunk Web.
You can only use _time in data-processing commands.
Example
This example searches all sources of type "mail" for mail addressed to the user "strawsky@bigcompany.com", then sorts the search results by timestamp.
Splunk Web:
sourcetype=mail to=strawsky@bigcompany.com | sort _time date_hour
The date_hour field contains the value of the hour in which an event occurred (range: 0-23). This value is extracted from the event's timestamp (the value in _time). Use date_hour to search for events within a specified time range.
You can only use date_hour in data-processing commands.
Example
This example searches for events with the term "apache" that occurred between 10pm and 12am on the current day.
Splunk Web:
apache (date_hour >= 22 AND date_hour <= 24)date_mday
The date_mday field contains the value of the day of the month on which an event occurred (range: 1-31). This value is extracted from the event's timestamp (the value in _time). Use date_mday to search for events within a specified day range.
You can only use date_mday in data-processing commands.
Example
This example searches for events containing the term "apache" that occurred between the 1st and 15th day of the current month.
Splunk Web:
apache (date_mday >= 1 AND date_mday <= 15)date_minute
The date_minute field contains the value of the minute in which an event occurred (range: 0-59). This value is extracted from the event's timestamp (the value in _time). Use date_minute to search for events within a specified time range.
You can only use date_minute in data-processing commands.
Example
This example searches for events containing the term "apache" that occurred between the 15th and 20th minute of the current hour.
Splunk Web:
apache (date_minute >= 15 AND date_minute <= 20)date_month
The date_month field contains the value of the month in which an event occurred. This value is extracted from the event's timestamp (the value in _time). Use date_month to search for events within a specified date range.
You can only use date_month in data-processing commands.
Example
This example searches for events with the term "apache" that occurred in January.
Splunk Web:
apache date_month=1date_second
The date_second field contains the value of the seconds portion of an event's timestamp (range: 1-59). This value is extracted from the event's timestamp (the value in _time). Use date_second to search for events within a specified time range.
You can only use date_second in data-processing commands.
Example
This example searches for events containing the term "apache" that occurred between the 1st and 15th second of the current minute.
Splunk Web:
apache (date_second >= 1 AND date_second <= 15) date_wday
The date_wday field contains the day of the week on which an event occurred (range: Sunday-Saturday: 1-7). Splunk extracts the numeric date on which an event occurs from the event's timestamp (the value in _time) and calculates what day of the week that the numeric date translates to. The day of the week resulting from the calculation is the value of the date_wday field. Use date_wday to search for events on a specific day.
You can only use date_wday in data-processing commands.
Example
This example searches for events containing the term "apache" that occurred on Sunday (1).
Splunk Web:
apache date_wday=1 date_year
The date_year field contains the value of the year in which an event occurred. This value is extracted from the event's timestamp (the value in _time). Use date_year to search for events within a specified time range.
You can only use date_year in data-processing commands.
Example
This example searches for events containing the term "apache" that occurred in 2008.
Splunk Web:
apache date_year=2008 date_zone
The date_zone field contains the value of time for the local timezone of an event, expressed as hours in Unix Time. This value is extracted from the event's timestamp (the value in _time). Use date_zone to offset an event's timezone by specifying an offset in minutes (range: -720 to 720).
You can only use date_zone in data-processing commands.
Example
This example searches for events containing the term "apache" that occurred in the current timezone (local).
Splunk Web:
apache date_zone=localeventtype
The eventtype field contains event types that you (or another user) have defined for an event. Use the eventtype field to filter searches; specify event types for your results to match in a search argument. Also use eventtype to construct data extraction rules, and run reports.
Classify events into an event type by finding similar patterns in your data, and then saving an event type based on the similarities between events (learn how to save event types).
Note: Splunk can also discover event types (Learn about event type discovery).
Note: You can use wildcards to specify multiple event types with a single expression (Example: eventtype=access*).
Example
This example searches for events that match any event type that begins with "access".
Splunk Web:
eventtype=access*This example displays the top 10 event types of sourcetype "syslog" on splunk3.
sourcetype="syslog" host=splunk3 | top eventtypehost
The host field contains the originating hostname or IP address of the network device that generated the event. . Use the host field to narrow searches by specifying a host value that events must match. You can use wildcards to specify multiple hosts with a single expression (Example: host=corp*).
You can use host to filter results in data-generating commands, or as an argument in data-processing commands.
Example
This example searches for events on all "corp" servers for accesses by the user "strawsky". It then reports the 20 most recent events.
Splunk Web:
host=corp* eventtype=access user=strawsky | head 20This example searches for events containing the term "404", and are from any host that starts with "192".
404 | regex host=*192.\d\d\d\.\d\d\d\.\d\d\d\*linecount
The linecount field contains the number of lines an event contains. This is the number of lines an event contains before it is indexed. Use linecount to search for events that match a certain number of lines, or as an argument in data-processing commands. You can't use wildcards or expressions in linecount. To specify a matching range, you must OR together multiple linecount statements (Example: inecount::40 OR linecount::41 OR linecount::42...).
Example
This example searches for events with containing "40" and with 40 lines from corp1 and omits events that contain 400.
Splunk Web:
(40* linecount=40 host=corp1) NOT (400 host=corp1)punct
The punct field contains a punctuation pattern that is extracted from an event. Use punct to filter events during a search, or as a field argument in data-processing commands.
You can use wildcards in the punct field to search for multiple punctuation patterns that share some common characters that you know you want to search for.
This example searches for all punctuation patterns that start and end with :
punct=":*:Note: You must use quotation marks when defining a punctuation pattern in the punct field.
Note: A punctuation pattern is a good way to identify different types of events.
Example
This example searches the php_error.log for php error events that have the punctuation pattern:"[--_::]__:___:____/-..-///.___".
Splunk Web:
source="/var/www/log/php_error.log" punct="[--_::]__:___:____''/-..-''///.___" source
The source field contains the filename or pathname from which the event was indexed. Use source to filter events during a search, or as an argument in a data-processing command. You can use wildcards to specify multiple sources with a single expression (Example: source=*php.log*).
You can use source to filter results in data-generating commands, or as an argument in data-processing commands.
Example
This example searches for events from the source "/var/www/log/php_error.log".
Splunk Web:
source="/var/www/log/php_error.log"sourcetype
The sourcetype field contains the kind of application, network, or device data identified as coming from the source. A Splunk administrator can predefine source types, or they can be generated automatically by Splunk at index time. Use sourcetype to filter events during a search, or as an argument in a data-processing command. You can use wildcards to specify multiple sources with a single expression (Example: sourcetype=access*).
Example
This example searches for all events that are of the source type "access log".
Splunk Web:
sourcetype=access_logtimestamp
The timestamp field contains an event's timestamp value (extracted at index time). You can use timestamp as a search command argument to filter your search. For example, add timestamp=none to your search to filter your search results to include only events that have no recognizable timestamp value. You can also report on the timestamp field just as you would with any field.
Splunk extracts timestamps based on how you (or your Splunk admin) has timestamp extraction configured. Learn how to configure timestamp extraction.
Example
This example returns the number of events in your data that have no recognizable timestamp.
Splunk Web:
timestamp=none | stats count(_raw) as count This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.