Splunk® Enterprise

Search Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Use fields to retrieve events

Fields are searchable name/value pairings in event data. All fields have names and can be searched with those names. Searches with field expressions are more precise (and therefore more efficient) than searches using only keywords and quoted phrases.

Look at the following search:

host=webserver

In this search, host=webserver indicates that you are searching for events with host fields that have values of webserver. When you run this search, events with different host field values are not retrieved, nor are events that contain other fields that share webserver as a value. This means that this search returns a more focused set of results than you might get if you just searched for webserver in the search bar.

For more information, read About fields in the Knowledge Manage Manual.

Index-time and search-time fields

As Splunk software processes event data, it extracts and defines fields from that data, first at index time, and again at search time.

See Index time versus search time in the Managing Indexers and Clusters manual.

Field extraction at index time

At index time, Splunk software extracts a small set of fields. This set of fields includes default fields, custom indexed fields, and fields indexed from structured data.

Default fields exist in all events. Three important default fields are host, source, and source type. They describe where the event originated. Other default fields include datetime fields, which provide additional searchable granularity to event timestamps. Splunk software also automatically adds default fields classified as internal fields.

Custom indexed fields are fields that you have manually configured for index-time extraction. See Create custom fields at index time in the Getting Data In manual.

Finally, when Splunk software indexes structured data, it creates index-time field extractions for the fields that it finds. Examples of structured data include:

  • comma-separated value files (CSV)
  • tab-separated value files (TSV)
  • pipe-separated value files
  • JavaScript Object Notation (JSON) data sources

When searching for default field values and custom indexed field values you can use the standard <field>=<value> syntax. This syntax matches default fields, custom indexed fields, and search-time fields.

However if you are searching specifically for a field that has been extracted at index-time from structured data, you can search more efficiently if you exchange the equal sign for a double colon, as follows:

<field>::<value>

This syntax works best in searches for fields that were indexed from structured data. However, you can use it to search for default and custom indexed fields as well. You cannot use it to search on Search-time fields.

For more information about extracting fields from structured data files, see Extract data from files with headers in the Getting Data In manual.

Field extraction at search time

At search time, Splunk software extracts additional fields, depending on its Search Mode setting and whether or not that setting enables field discovery given the type of search being run.

Search examples

Example 1: Search for events on all "corp" servers for accesses by the user "strawsky". It then reports the 20 most recent events.

host=corp* eventtype=access user=strawsky

In this example, host is a default field, while eventtype and user are additional fields that might have been automatically extracted or that you defined.

In general, an event type is a user-defined field that simplifies search by letting you categorize events. You can save a search as an event type and quickly retrieve those events using the eventtype field. For more information, read About event types in the Knowledge Manager Manual.

Example 2: Search for events from the source "/var/www/log/php_error.log".

source="/var/www/log/php_error.log"

The source of an event is the name of the file, stream, or other input from which the event originates.

Example 3: Search for all events that have an Apache web access source type.

sourcetype="access_*"

The source type of an event is the format of the data input from which it originates. In this search uses a wildcard to match any Apache web access log that begins with "access_". This includes access_common and access_combined (and you might also see access_combined_wcookie).

Example 4: Search indexed information from various CSV files to get a list of Plano-based employees.

employee_office::Plano

You have indexed several CSV files of employee records. Each of these CSV files share the same fields. You want to search for the employees from these files that are affiliated with the office in Plano, Texas.

This example uses the <field>::<value> syntax to find the fields from those CSV files, which are extracted at index time. This syntax works best for fields extracted from indexed structured data, although it can handle other kinds of index time fields as well. It cannot find fields that are extracted at search time.

Example 5: Search corp1 for events that have more than 4 lines, and omit events that contain the term 400.

host=corp1 linecount>4 NOT 400

You can use comparison expressions to match field/value pairs. Comparison expressions with "=" and "!=" work with all field/value pairs. Comparison expressions with < > <= >= work only with fields that have numeric values. This example specifies a search for events that have more than 4 lines, linecount>4.

Example 6: Searching with the boolean "NOT" versus the comparison operator "!=" is not the same. The following search returns events where field is undefined (or NULL).

NOT field="value"

The following search returns events where field exists and does not have the value "value".

field!="value"

In the case where the value in question is the wildcard "*", NOT field=* will return events where field is null/undefined, and field!=* will never return any events.

Example 7: Search for events that match a particular CIDR notation.

Suppose the ip field contains these IP address values:

10.10.10.12
50.10.10.17
10.10.10.23

The following search returns the events with the first and last values: 10.10.10.12 and 10.10.10.23

ip="10.10.10.0/24"

More about fields

This topic only discussed a handful of searches with fields.

Fields become more important when you start using the Splunk search language to summarize and transform your data into reports. For more information, read About reporting commands.

Last modified on 03 May, 2023
About retrieving events   Event sampling

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters