Use default and internal fields
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Use default and internal fields
Fields are searchable name/value pairs in event data. When you search, you're matching search terms against segments of your event data; you can search more precisely by using fields. When you index new data, Splunk automatically recognizes and adds fields from information in your data with name/value pairs, headers, or what is otherwise self-explanatory. Some of these default fields are information about where the data came from, such as host, source and sourcetype. Fields that begin with an underscore are internal fields.
| Type of field | List of fields | Description |
|---|---|---|
| Internal fields | _raw, _time
| These are fields that contain general information about events in Splunk. |
| Default fields | eventtype, host, index, linecount, punct, source, sourcetype, splunk-server, timestamp
| These are fields that contain information about where an event originated, in which index it's located, what type it is, how many lines it contains, and when it occurred. These fields are indexed and added to the Fields menu by default. |
| Default datetime fields | date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone
| These are fields that provide additional searchable granularity to event timestamps.
Note: Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that. |
A field may have more than one value; for more information about how to handle such fields and their values, see the "Parse fields with multiple values" topic in this chapter.
You can extract additional fields using Splunk Web or by using extracting search commands. For more information, see the "Extract and add new fields" topic in this chapter.
You might also want to change the name of a field, or group it with other similar fields. This is easily done with tags or aliases for the fields and field values. For more information, see the "Tag and alias field values" topic in this chapter.
This topic discusses the internal and default fields that Splunk automatically adds when you index data.
Internal fields
_raw
The _raw field contains the original raw data of an event. Splunk's search command uses the data in _raw when performing searches and data extraction.
You can't use _raw as an argument of the search command; use _raw in data-processing commands only.
Example: Return sendmail events that contain an IP address that starts with "10".
eventtype=sendmail | regex _raw=*10.\d\d\d\.\d\d\d\.\d\d\d\*_time
The _time field contains an event's timestamp expressed in Unix time. Splunk uses this field to create the event timeline in Splunk Web.
You can only use _time in data-processing commands.
Example: Search all sources of type "mail" for mail addressed to the user "strawsky@bigcompany.com", then sorts the search results by timestamp.
sourcetype=mail to=strawsky@bigcompany.com | sort _time Default fields
eventtype
The eventtype field contains event types that you (or another user) have defined for an event. Use the eventtype field to filter searches; specify event types for your results to match in a search argument. Also use eventtype to construct data extraction rules, and run reports.
Classify events into an event type by finding similar patterns in your data, and then saving an event type based on the similarities between events.
Note: You can use wildcards to specify multiple event types with a single expression (Example: eventtype=access*).
Example 1: Search for events that match any event type that begins with "access".
eventtype=access*Example 2: Display the top 10 most common event types of sourcetype "syslog" on splunk3.
sourcetype="syslog" host=splunk3 | top eventtypehost
The host field contains the originating hostname or IP address of the network device that generated the event. . Use the host field to narrow searches by specifying a host value that events must match. You can use wildcards to specify multiple hosts with a single expression (Example: host=corp*).
You can use host to filter results in data-generating commands, or as an argument in data-processing commands.
Example 1: Search for events on all "corp" servers for accesses by the user "strawsky". It then reports the 20 most recent events.
host=corp* eventtype=access user=strawsky | head 20Example 2: Search for events containing the term "404", and are from any host that starts with "192".
404 | regex host=*192.\d\d\d\.\d\d\d\.\d\d\d\*index
The_index field contains the name of the index in which a given event is indexed. Specify an index to use in your searches by using: index="name_of_index". By default, all events are indexed in the main index (index="main").
Example: Search the myweb index for events that have the ".php" extension.
index="myweb" *.php linecount
The linecount field contains the number of lines an event contains. This is the number of lines an event contains before it is indexed. Use linecount to search for events that match a certain number of lines, or as an argument in data-processing commands. To specify a matching range, use a greater-than and less-than expression (Example: linecount>10 linecount<20).
Example: Search corp1 for events that contain "40" and have 40 lines, and omit events that contain 400.
40 linecount=40 host=corp1 NOT 400punct
The punct field contains a punctuation pattern that is extracted from an event. The punctuation pattern is unique to types of events. Use punct to filter events during a search or as a field argument in data-processing commands.
You can use wildcards in the punct field to search for multiple punctuation patterns that share some common characters that you know you want to search for. You must use quotation marks when defining a punctuation pattern in the punct field.
Example 1: Search for all punctuation patterns that start and end with :
punct=":*:"Example 2: Search the php_error.log for php error events that have the punctuation pattern:"[--_::]__:___:____/-..-///.___".
source="/var/www/log/php_error.log" punct="[--_::]__:___:____''/-..-''///.___" source
The source field contains the filename or pathname from which the event was indexed. Use source to filter events during a search, or as an argument in a data-processing command. You can use wildcards to specify multiple sources with a single expression (Example: source=*php.log*).
You can use source to filter results in data-generating commands, or as an argument in data-processing commands.
Example: Search for events from the source "/var/www/log/php_error.log".
source="/var/www/log/php_error.log"sourcetype
The sourcetype field contains a classification, or type, of source. A Splunk administrator can predefine source types, or they can be generated automatically by Splunk at index time. Use sourcetype to filter events during a search, or as an argument in a data-processing command. You can use wildcards to specify multiple sources with a single expression (Example: sourcetype=access*).
Example: Search for all events that are of the source type "access log".
sourcetype=access_logsplunk-server
The splunk-server field contains the different server names in a distributed Splunk environment.
Example: Restrict a search to the main index on a remote server that is named, remote.
splunk-server=remote index=main 404timestamp
The timestamp field contains an event's timestamp value (extracted at index time). Splunk extracts timestamps based on how you (or your Splunk admin) has timestamp extraction configured. You can use timestamp as a search command argument to filter your search.
For example, you can add timestamp=none to your search to filter your search results to include only events that have no recognizable timestamp value.
Example: Return the number of events in your data that have no recognizable timestamp.
timestamp=none | stats count(_raw) as count Default datetime fields
You can use datetime fields to filter events during a search or as a field argument in data-processing commands.
date_hour
The date_hour field contains the value of the hour in which an event occurred (range: 0-23). This value is extracted from the event's timestamp (the value in _time).
Example: Search for events with the term "apache" that occurred between 10pm and 12am on the current day.
apache (date_hour >= 22 AND date_hour <= 24)date_mday
The date_mday field contains the value of the day of the month on which an event occurred (range: 1-31). This value is extracted from the event's timestamp (the value in _time).
Example: Search for events containing the term "apache" that occurred between the 1st and 15th day of the current month.
apache (date_mday >= 1 AND date_mday <= 15)date_minute
The date_minute field contains the value of the minute in which an event occurred (range: 0-59). This value is extracted from the event's timestamp (the value in _time).
Example: Search for events containing the term "apache" that occurred between the 15th and 20th minute of the current hour.
apache (date_minute >= 15 AND date_minute <= 20)date_month
The date_month field contains the value of the month in which an event occurred. This value is extracted from the event's timestamp (the value in _time).
Example: Search for events with the term "apache" that occurred in January.
apache date_month=1date_second
The date_second field contains the value of the seconds portion of an event's timestamp (range: 1-59). This value is extracted from the event's timestamp (the value in _time).
Example: Search for events containing the term "apache" that occurred between the 1st and 15th second of the current minute.
apache (date_second >= 1 AND date_second <= 15) date_wday
The date_wday field contains the day of the week on which an event occurred (Sunday, Monday, etc.). Splunk extracts the date from the event's timestamp (the value in _time) and determines what day of the week that date translates to. This day of the week value is then placed in the date_wday field.
Example: Search for events containing the term "apache" that occurred on Sunday.
apache date_wday="sunday" date_year
The date_year field contains the value of the year in which an event occurred. This value is extracted from the event's timestamp (the value in _time).
Example: Search for events containing the term "apache" that occurred in 2008.
apache date_year=2008 date_zone
The date_zone field contains the value of time for the local timezone of an event, expressed as hours in Unix Time. This value is extracted from the event's timestamp (the value in _time). Use date_zone to offset an event's timezone by specifying an offset in minutes (range: -720 to 720).
Example: Search for events containing the term "apache" that occurred in the current timezone (local).
apache date_zone=localThis documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.