Overview of field extraction
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Overview of field extraction
When Splunk indexes event data, it extracts by default a set of fields that are common to most events, and which are commonly used in Splunk searches and reports. These default fields include:
-
host: Identifies the originating hostname or IP address of the network device that generated the event. Used to narrow searches to events that have their origins in a specific host. -
source: Identifies the filename or pathname from which the event was indexed. Used to filter events during a search, or as an argument in a data-processing command. -
sourcetype: Identifies the type of application, network, or device data that the event represents, such asaccess_logorsyslog. A Splunk administrator can predefine source types, or they can be generated automatically by Splunk at index time. Use sourcetype to filter events during a search, or as an argument in a data-processing command.
For a full listing of the default fields that Splunk identifies during the indexing process, and examples of how they can be used in a search, see "Use default and internal fields" in the User manual.
Extract additional fields
Splunk enables you to extract additional fields when you determine that the default fields it identifies at index time and the fields it extracts automatically at search time aren't enough. As a Splunk knowledge manager, you can create sets of these custom extracted fields to track event information that is unique and important to your organization's needs. For more information, see the topics in the "Work with fields" chapter of this manual. There, you'll learn how to:
- Extract custom fields at search time, either via Splunk Web, or through configuration files.
- Customize index-time field extraction (not recommended, but occasionally necessary).
- Create field lookups from external data sources.
- Extract custom fields at index time from files with headers (such as CSV and MS Exchange files).
- Create aliases for fields
- Configure multi-value fields
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.