About retrieving events
When you search, you are seeking to match search terms against segments of your event data. These search terms are keywords, phrases, boolean expressions, field name and value pairs, and so forth that specify which events you want to retrieve from the indexes. Read the Search command primer to learn how to use the search command effectively.
Your event data might be partitioned into different indexes and across distributed search peers. Read more about how to search across multiple indexes and servers in Retrieve events from indexes.
Events are retrieved from the indexes in reverse time order. The results of a search are ordered from most recent to least recent by default. You can retrieve events faster if you filter by time, whether you are using the timeline to zoom in on clusters of events or applying time ranges to the search itself. For more information, read how to Use the timeline to investigate events and About time ranges in search.
Events, event data, and fields
The phrase event data refers to your data after it has been added to the Splunk index. Events are a single record of activity or instance of this event data. For example, an event might be a single log entry in a log file. Because the Splunk software separates individual events by their time information, an event is distinguished from other events by a timestamp.
Here is a sample event:
172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953
Events contain pairs of information, or fields. When you add data and it gets indexed, the Splunk software automatically extracts some useful fields for you, such as the host the event came from and the type of data source it is.
Use fields to retrieve events
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103