Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

About retrieving events

When you search, you are seeking to match search terms against segments of your event data. These search terms are keywords, phrases, boolean expressions, field name and value pairs, and so forth that specify which events you want to retrieve from the indexes. Read the Search command primer to learn how to use the search command effectively.

Your event data might be partitioned into different indexes and across distributed search peers. Read more about how to search across multiple indexes and servers in Retrieve events from indexes.

Events are retrieved from the indexes in reverse time order. The results of a search are ordered from most recent to least recent by default. You can retrieve events faster if you filter by time, whether you are using the timeline to zoom in on clusters of events or applying time ranges to the search itself. For more information, read how to Use the timeline to investigate events and About time ranges in search.


Events, event data, and fields

The phrase event data refers to your data after it has been added to the Splunk index. Events are a single record of activity or instance of this event data. For example, an event might be a single log entry in a log file. Because the Splunk software separates individual events by their time information, an event is distinguished from other events by a timestamp.

Here is a sample event:

172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953

Events contain pairs of information, or fields. When you add data and it gets indexed, the Splunk software automatically extracts some useful fields for you, such as the host the event came from and the type of data source it is.

PREVIOUS
Built-in optimization
  NEXT
Use fields to retrieve events

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Comments

Alanden - Thank you for this question. For historical searches we are referring to the _time field. For realtime searches, we are referring to the _indextime field.

Lstewart splunk, Splunker
August 24, 2016

I'd like some clarification on the time mentioned in the following statements: "Events are retrieved from an index(es) in reverse time order. The results of a Splunk search are ordered from most recent to least recent by default." When you talk about time order, are you referring to order on _time or _indextime?

Alanden splunk, Splunker
August 18, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters