About capturing knowledge
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
About capturing knowledge
Once you master the basics of freeform search as described in the "Search and Investigate" chapter, you'll want to take things to a higher level of precision, because the raw data you get from those searches won't always get you to the answers you need.
Leverage Splunk's ability to marry the flexibility of unstructured search with the power of working with structured data. Add knowledge about the events, fields, transactions, and patterns in your data. Discover similar events and group them together with a collective name (an "event type") so you can search on them like you do any other field. Identify transactions that are associated with clusters of events and track them. Group related fields together with tags and aliases. Interactively extract new fields based on event data or external information (such as lookup tables) and add them to your searches.
In this chapter you will:
- Learn how to identify similar or related events and group them together as event types.
- See a list of the default fields automatically extracted by Splunk during the indexing process and see examples of their use in searches.
- Find out how to group fields with related values together through tags and aliases.
- Learn how to interactively extract and add new fields.
- Discover how you can identify event clusters related to transactions and use them to your advantage in searches.
- See a detailed example of interactive field extraction.
- Learn how to create a saved search string and share the results of searches with others.
- Manage both in-process and completed search jobs and review their results.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.