Use fields to search
You can not take full advantage of the more advanced search features in Splunk Enterprise without understanding what fields are and how to use them.
When you look at the Data Summary in the search view, you see a list of Hosts, Sources, and Source Types that described the type of data you added to your Splunk index. These are also default fields that Splunk extracts from the data during indexing. They help to specify exactly which events you want to retrieve from the index.
What are fields?
Fields exist in machine data in many forms. Often, a field is a value (with a fixed, delimited position on the line) or a name and value pair, where there is a single value to each field name. A field can be multivalued, that is, it can appear more than once in an event and has a different value for each appearance.
Some examples of fields are
clientip for IP addresses accessing your Web server,
_time for the timestamp of an event, and
host for domain name of a server. One of the more common examples of multivalue fields is email address fields. While the
From field will contain only a single email address, the
Cc fields have one or more email addresses associated with them.
In Splunk Enterprise, fields are searchable name and value pairings that distinguish one event from another because not all events will have the same fields and field values. Fields let you write more tailored searches to retrieve the specific events that you want.
See "About fields" in the Knowledge Manager manual.
Splunk extracts fields from event data at index-time and at search-time. See "Index time versus search time" in the Managing Indexers and Clusters manual.
Default and other indexed fields are extracted for each event that is processed when that data is indexed. Default fields include
sourcetype. For a list of the default fields, see "Use default fields" in the Knowledge Manager manual.
Splunk Enterprise extracts different sets of fields, when you run a search. See "Overview of search-time field extractions" in the Knowledge Manager manual.
You can also use the Interactive Field Extractor (IFX) to create custom fields dynamically on your local Splunk instance. IFX lets you define any pattern for recognizing one or more fields in your events. See "Extract fields interactively with IFX" in the Knowledge Manager Manual.
Find and select fields
Use the following syntax to search for a field:
fieldname="fieldvalue" . Field names are case sensitive, but field values are not.
1. Go to the Search dashboard and type the following into the search bar:
This indicates that you want to retrieve only events from your web access logs and nothing else.
sourcetype is a field name and
access_* is a wildcarded field value used to match any Apache web access event. Apache web access logs are formatted as access_common, access_combined, or access_combined_wcookie.
2. In the Events tab, scroll through the list of events.
If you are familiar with the access_combined format of Apache logs, you recognize some of the information in each event, such as:
- IP addresses for the users accessing the website.
- URIs and URLs for the pages requested and referring pages.
- HTTP status codes for each page request.
- GET or POST page request methods.
Also, these are events for the Buttercup Games online store, so you might recognize other information and keywords, such as Arcade, Simulation, productId, categoryId, purchase, addtocart, and so on.
To the left of the events list is the Fields sidebar. As Splunk Enterprise retrieves the events that match your search, the Fields sidebar updates with Selected fields and Interesting fields. These are the fields that Splunk Enterprise extracted from your data.
Selected Fields are the fields that appear in your search results. The default fields host, source, and sourcetype are selected.
You can hide and show the fields sidebar by clicking Hide Fields and Show Fields, respectively.
3. Click All Fields.
The Select Fields dialog box opens, where you can edit the fields to show in the events list.
You see the default fields that Splunk defined. Some of these fields are based on each event's
timestamp (everything beginning with
date_*), punctuation (
punct), and location (
Other field names apply to the web access logs. For example, there are
clientip, method, and
status. These are not default fields. They are extracted at search time.
Other extracted fields are related to the Buttercup Games online store. For example, there are
productId and close the Select Fields window.
The three fields appear under Selected Fields in the sidebar. Also, the field/value pairs are listed under each event if it exists in the raw data for that event.
The fields sidebar displays the number of values that exist for each field. These are the values that Splunk Enterprise indentifies from the results of your search.
5. Under Selected Fields, click the
This opens the field summary for the action field.
In this set of search results, Splunk Enterprise found five values for
action, and that the
action field appears in 49.9% of your search results.
6. Close this window and look at the other two fields you selected,
categoryId (what types of products the shop sells) and
productId (specific catalog number for products).
7. Scroll through the events list.
The selected fields appear under your search results if they exist in that particular event. Different events will have different fields. If you click on the arrow next to an event, it opens up the list of all fields in that event. Use this panel to view all the fields in a particular event and select or deselect individual fields for an individual event.
Run more targeted searches
The following are search examples using fields.
Example1: Search for successful purchases from the Buttercup Games store.
sourcetype=access_* status=200 action=purchase
This search uses the HTTP status field,
status, to specify successful requests and the
action field to search only for purchase events.
You can search for failed purchases in a similar manner using
status!=200, which looks for all events where the HTTP status code is not equal to 200.
sourcetype=access_* status!=200 action=purchase
Example 2: Search for general errors.
(error OR failed OR severe) OR (status=404 OR status=500 OR status=503)
This doesn't specify a source type. The search retrieves events in both the secure and web access logs.
Example 3: Search for how many simulation games were bought yesterday.
Select the Preset time range, Yesterday, from the time range picker and run:
sourcetype=access_* status=200 action=purchase categoryId=simulation
The count of events returned are the number of simulation games purchased.
To find the number purchases for each type of product sold at the shop, run this search for each unique categoryId. For the number of purchases made each day of the previous week, run the search again for each time range.
Fields also let you take advantage of the search language, create charts, and build charts. Continue to "Use the search language" to learn how to use the search language.
Use the search language
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.13, 6.1.14