Splunk® Enterprise

Knowledge Manager Manual

Use default fields

Fields are searchable name-value pairs in event data. When you search, you're matching search terms against segments of your event data; you can search more precisely by using fields. Fields are extracted from event data at either index time or search time. The fields that are extracted automatically at index time are known as default fields.

Default fields serve a number of purposes. For example, the default field index identifies the index in which the event is located. The default field linecount describes the number of lines the event contains, and timestamp specifies the time at which the event occurred. Splunk software uses the values in some of the fields, particularly sourcetype, when indexing the data, in order to create events properly. After the data has been indexed, you can use the default fields in your searches.

For more information on using default fields in search commands, see About the search language in the Search Manual. For information on configuring default fields, see About default fields in the Getting Data In manual.

Type of field List of fields Description
Internal fields _raw, _time, _indextime, _cd, _bkt Contain general information about events.
Default fields host, index, linecount, punct, source, sourcetype, splunk_server, timestamp These are fields that contain information about where an event originated, in which index it's located, what type it is, how many lines it contains, and when it occurred. These fields are indexed and added to the Fields menu by default.
Default datetime fields date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone These are fields that provide additional searchable granularity to event timestamps.

Note: Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that.

A field can have more than one value. See Manipulate and evaluate fields with multiple values.

You can extract non-default fields with Splunk Web or by using extracting search commands. See About fields.

You might also want to change the name of a field, or group it with other similar fields. This is easily done with tags or aliases for the fields and field values. See Tag field value pairs in Search.

This topic discusses the internal and other default fields that Splunk software automatically adds when you index data.

Internal fields

Fields that begin with an underscore are internal fields.

Do not override internal fields unless you are absolutely sure you know what you are doing.

_raw

The _raw field contains the original raw data of an event. The search command uses the data in _raw when performing searches and data extraction.

You cannot always search directly on values of _raw, but you can filter on _raw with commands like regex or sort.

Example: Return sendmail events that contain an IP address that starts with 10.

eventtype=sendmail | regex _raw=*10.\d\d\d\.\d\d\d\.\d\d\d\*

_time

The _time field contains an event's timestamp expressed in UNIX time. This field is used to create the event timeline in Splunk Web.

Note: The _time field is stored internally in UTC format. It is translated to human-readable Unix time format when Splunk software renders the search results (the very last step of search time event processing).

Example: Search all sources of type mail for mail addressed to the user strawsky@bigcompany.com. Then sort the search results by timestamp.

sourcetype=mail to=strawsky@bigcompany.com | sort _time

_indextime

The _indextime field contains the time that an event was indexed, expressed in Unix time. You might use this field to focus on or filter out events that were indexed within a specific range of time. Because _indextime is a hidden field, it will not be displayed in search results unless renamed or used with an eval.

_cd

The _cd field provides an address for an event within the index. It is composed of two numbers, a short number and a long number. The short number indicates the specific index bucket that the event resides in. The long number is an index bucket offset. It provides the exact location of the event within its bucket. Because _cd is a hidden field, it will not be displayed in search results unless renamed or used with an eval. Because _cd is used for internal reference only, we do not recommend that you set up searches that involve it.

_bkt

The _bkt field contains the id of the bucket that an event is stored in. Because _bkt is a hidden field, it will not be displayed in search results unless renamed or used with an eval.

Other default fields

host

The host field contains the originating hostname or IP address of the network device that generated the event. Use the host field to narrow searches by specifying a host value that events must match. You can use wildcards to specify multiple hosts with a single expression (Example: host=corp*).

You can use host to filter results in data-generating commands, or as an argument in data-processing commands.

Example 1: Search for events on all corp servers for accesses by the user strawsky. It then reports the 20 most recent events.

host=corp* eventtype=access user=strawsky | head 20

Example 2: Search for events containing the term 404, and are from any host that starts with 192.

404 | regex host=*192.\d\d\d\.\d\d\d\.\d\d\d\*

index

Theindex field contains the name of the index in which a given event is indexed. Specify an index to use in your searches by using: index="name_of_index". By default, all events are indexed in the main index.

Example: Search the myweb index for events that have the .php extension.

index="myweb" *.php

linecount

The linecount field contains the number of lines an event contains. This is the number of lines an event contains before it is indexed. Use linecount to search for events that match a certain number of lines, or as an argument in data-processing commands. To specify a matching range, use a greater-than and less-than expression (Example: linecount>10 linecount<20).

Example: Search corp1 for events that contain 40 and have 40 lines, and omit events that contain 400.

40 linecount=40 host=corp1 NOT 400

punct

The punct field contains a punctuation pattern that is extracted from an event. The punctuation pattern is unique to types of events. Use punct to filter events during a search or as a field argument in data-processing commands.

You can use wildcards in the punct field to search for multiple punctuation patterns that share some common characters that you know you want to search for. You must use quotation marks when defining a punctuation pattern in the punct field.

Example 1: Search for all punctuation patterns that start and end with :

punct=":*:"

Example 2: Search the php_error.log for php error events that have the punctuation pattern [--_::]__:___:____/-..-///.___".

source="/var/www/log/php_error.log" punct="[--_::]__:___:____''/-..-''///.___"

source

The source field contains the name of the file, stream, or other input from which the event originates. Use source to filter events during a search, or as an argument in a data-processing command. You can use wildcards to specify multiple sources with a single expression (Example: source=*php.log*).

You can use source to filter results in data-generating commands, or as an argument in data-processing commands.

Example: Search for events from the source /var/www/log/php_error.log.

source="/var/www/log/php_error.log"

sourcetype

The sourcetype field specifies the format of the data input from which the event originates, such as access_combined or cisco_syslog. Use sourcetype to filter events during a search, or as an argument in a data-processing command. You can use wildcards to specify multiple sources with a single expression (Example: sourcetype=access*).

Example: Search for all events that are of the source type access log.

sourcetype=access_log

splunk_server

The splunk_server field contains the name of the Splunk server containing the event. Useful in a distributed Splunk environment.

Example: Restrict a search to the main index on a server named remote.

splunk_server=remote index=main 404

timestamp

The timestamp field contains an event's timestamp value. You can configure the method that is used to extract timestamps. You can use timestamp as a search command argument to filter your search.

For example, you can add timestamp=none to your search to filter your search results to include only events that have no recognizable timestamp value.

Example: Return the number of events in your data that have no recognizable timestamp.

timestamp=none | stats count(_raw) as count

Default datetime fields

You can use datetime fields to filter events during a search or as a field argument in data-processing commands.

If you are located in a different timezone from the Splunk server, time-based searches use the timestamp of the event as specified on the server where the event was indexed. The datetime values are the literal values parsed from the event when it is indexed, regardless of its timezone. So, a string such as 05:22:21 will be parsed into indexed fields: date_hour::5 date_minute::22 date_second::21.

date_hour

The date_hour field contains the value of the hour in which an event occurred (range: 0-23). This value is extracted from the event's timestamp (the value in _time).

Example: Search for events with the string apache that occurred between 10pm and 12am on the current day.

apache (date_hour >= 22 AND date_hour <= 24)

date_mday

The date_mday field contains the value of the day of the month on which an event occurred (range: 1-31). This value is extracted from the event's timestamp (the value in _time).

Example: Search for events containing the string apache that occurred between the 1st and 15th day of the current month.

apache (date_mday >= 1 AND date_mday <= 15)

date_minute

The date_minute field contains the value of the minute in which an event occurred (range: 0-59). This value is extracted from the event's timestamp (the value in _time).

Example: Search for events containing the string apache that occurred between the 15th and 20th minute of the current hour.

apache (date_minute >= 15 AND date_minute <= 20)

date_month

The date_month field contains the value of the month in which an event occurred. This value is extracted from the event's timestamp (the value in _time).

Example: Search for events with the string apache that occurred in January.

apache date_month=1

date_second

The date_second field contains the value of the seconds portion of an event's timestamp (range: 0-59). This value is extracted from the event's timestamp (the value in _time).

Example: Search for events containing the string apache that occurred between the 1st and 15th second of the current minute.

apache (date_second >= 1 AND date_second <= 15)

date_wday

The date_wday field contains the day of the week on which an event occurred (Sunday, Monday, etc.). The date is extracted from the event's timestamp (the value in _time) and determines what day of the week that date translates to. This day of the week value is then placed in the date_wday field.

Example: Search for events containing the string apache that occurred on Sunday.

apache date_wday="sunday"

date_year

The date_year field contains the value of the year in which an event occurred. This value is extracted from the event's timestamp (the value in _time).

Example: Search for events containing the string apache that occurred in 2008.

apache date_year=2008

date_zone

The date_zone field contains the value of time for the local timezone of an event, expressed as hours in Unix Time. This value is extracted from the event's timestamp (the value in _time). Use date_zone to offset an event's timezone by specifying an offset in minutes (range: -720 to 720).

Example: Search for events containing the string apache that occurred in the current timezone (local).

apache date_zone=local

Last modified on 16 January, 2020
About fields   When Splunk software extracts fields

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 8.0.8, 8.1.0, 8.1.10, 8.1.11


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters