Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use fields to retrieve events

Fields are searchable name/value pairings in event data. All fields have names and can be searched with those names. Searches with field expressions are more precise (and therefore more efficient) than searches using only keywords and quoted phrases.

Look at the following search:

host=webserver

In this search, host=webserver indicates that you are searching for events with host fields that have values of webserver. When you run this search, Splunk won't retrieve events with different host field values. It also won't retrieve events that contain other fields that share webserver as a value. This means that this search returns a more focused set of results than you might get if you just searched for webserver in the search bar.

For more information, read "About fields" in the Knowledge Manage Manual.

Index-time and search-time fields

As Splunk processes event data, it extracts and defines fields from that data, first at index time, and again at search time.

At index time, Splunk extracts a small set of default fields.

These indexed fields are called default fields because they exist in all events. Three important default fields are host, source, and source type, which describe where the event originated. Other default fields include datetime fields, which provide additional searchable granularity to event timestamps. Splunk also automatically adds default fields classified as internal fields.

Splunk can also extract custom indexed fields at index time; these are fields that you have configured for index-time extraction.

At search time, Splunk can automatically extract additional fields, depending on its Search Mode setting and whether or not that setting enables field discovery given the type of search being run.

For an explanation of "search time" and "index time" see "Index time versus search time" in the Managing Indexers and Clusters manual.

Search examples

Example 1: Search for events on all "corp" servers for accesses by the user "strawsky". It then reports the 20 most recent events.

host=corp* eventtype=access user=strawsky

In this example, host is a default field, while eventtype and user are additional fields that Splunk may have automatically extracted or that you defined.

In general, an event type is a user-defined field that simplifies search by letting you categorize events. You can save a search as an event type and quickly retrieve those events using the eventtype field. For more information, read "About event types" in the Knowledge Manager Manual.

Example 2: Search for events from the source "/var/www/log/php_error.log".

source="/var/www/log/php_error.log"

The source of an event is the name of the file, stream, or other input from which the event originates.

Example 3: Search for all events that have an Apache web access source type.

sourcetype="access_*"

The source type of an event is the format of the data input from which it originates. In this search uses a wildcard to match any Apache web access log that begins with "access_". This includes access_common and access_combined (and you might also see access_combined_wcookie).

Example 4: Search corp1 for events that have more than 4 lines, and omit events that contain the term 400.

host=corp1 linecount>4 NOT 400

You can use comparison expressions to match field/value pairs. Comparison expressions with "=" and "!=" work with all field/value pairs. Comparison expressions with < > <= >= work only with fields that have numeric values. This example specifies a search for events that have more than 4 lines, linecount>4.

Example 5: Searching with the boolean "NOT" versus the comparison operator "!=" is not the same. The first search:

NOT field="value"

will return events where field is undefined (or NULL).

field!="value"

will only return events where field exists and does not have the value "value".

In the case where the value in question is the wildcard "*", NOT field=* will return events where field is null/undefined, and field!=* will never return any events.

More about fields

This topic only discussed a handful of searches with fields.

Fields become more important when you start using the Splunk search language to summarize and transform your data into reports. For more information, read "About reporting commands".

PREVIOUS
Use the search command
  NEXT
Retrieve events from indexes and distributed search peers

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters