Extract default fields automatically
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Extract default fields automatically
When Splunk indexes event data, it extracts by default a set of fields that are common to most events, and which are commonly used in Splunk searches and reports. These default fields include:
-
host: Identifies the originating hostname or IP address of the network device that generated the event. Used to narrow searches to events that have their origins in a specific host. -
source: Identifies the filename or pathname from which the event was indexed. Used to filter events during a search, or as an argument in a data-processing command. -
sourcetype: Identifies the type of application, network, or device data that the event represents, such asaccess_logorsyslog. A Splunk administrator can predefine source types, or they can be generated automatically by Splunk at index time. Use sourcetype to filter events during a search, or as an argument in a data-processing command.
For a full listing of the default fields that Splunk identifies during the indexing process, and examples of how they can be used in a search, see "Use default fields" in the User manual.
For detailed information on default field extraction, see "About default fields" in this manual.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.