About fields
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
About fields
Fields are searchable name/value pairings in event data. Fields are distinguished from the indexed segments that make up all processed events in that fields have names and can be searched with those names.
For example, look at the following search:
host=fooIn this search, host=foo is a way of indicating that you are searching for events with host fields that have values of foo. When you run this search, Splunk won't seek out events with different host field values. It also won't look for events containing other fields that share foo as a value. This means that this search gives you a more focused set of search results than you might get if you just put foo in the search bar.
As Splunk processes event data, first at index time, and again at search time, it automatically extracts and defines fields.
- At index time Splunk extracts a small set of default fields for each event, including
host,source, andsourcetype. Default fields are common to all events. - At search time Splunk identifies and extracts what can be a wide range of fields from the event data. It finds obvious field name/value pairs in each event, such as
user id=jdoeorclient ip=192.168.1.1, which it extracts as examples ofuser_idandclient_ipfields.
Add and maintain custom fields
To fully utilize the power of Splunk IT search, however, you need to know how to add and maintain custom fields. Custom fields enable you to capture and track information that is unique and important to your needs. As a knowledge manager, you can define specialized sets of custom fields that are used by other Splunk users in your organization. This section of the Knowledge Manager manual discusses the various methods of field creation and maintenance and provides examples showing how this functionality can be used.
You'll learn how to:
- Add new fields at search time
- Customize index-time field extraction
- Look up fields from external data sources
- Set up index-time field extraction based on file headers
- Configure Splunk to parse multivalue fields
- Create aliases for fields
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.