About default fields (host, source, sourcetype, and more)
When Splunk software indexes data, it tags each event with a number of fields. These fields become part of the index event data. The fields that are added automatically are known as default fields.
Default fields serve a number of purposes:
- The default field
index
identifies the index in which the event is located. - The default field
linecount
describes the number of lines the event contains. - The default field
timestamp
specifies the time at which the event occurred.
Splunk software uses the values in some of the fields, particularly sourcetype
, when indexing the data, in order to create events properly. Once the data has been indexed, you can use the default fields in your searches.
The complete list of default fields follows:
Type of field | List of fields | Description |
---|---|---|
Internal fields | _raw, _time, _indextime, _cd
|
These fields contain information that Splunk software uses for its internal processes. |
Basic default fields | host, index, linecount, punct, source, sourcetype, splunk_server, timestamp
|
These fields provide basic information about an event, such as where it originated, what kind of data it contains,what index it's located in, how many lines it contains, and when it occurred. |
Default datetime fields | date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone
|
These fields provide additional searchable granularity to event timestamps.
Note: Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that. |
For information about default fields from the search perspective, see Use default fields in the Knowledge Manager Manual.
You can also specify additional, custom fields for inclusion in the index. See Create custom fields at index-time in this chapter.
This topic focuses on three key default fields:
Defining host, source, and sourcetype
The host, source, and sourcetype fields are defined as follows:
- host - An event host value is typically the hostname, IP address, or fully qualified domain name of the network host from which the event originated. The host value lets you locate data originating from a specific device. For more information on hosts, see About hosts.
- source - The source of an event is the name of the file, stream, or other input from which the event originates. For data monitored from files and directories, the value of source is the full path, such as
/archive/server1/var/log/messages.0
or/var/log/
. The value of source for network-based data sources is the protocol and port, such as UDP:514. - sourcetype - The source type of an event is the format of the data input from which it originates, such as
access_combined
orcisco_syslog
. The source type determines how your data is to be formatted. For more information on source types, see Why source types matter.
Source vs sourcetype
Source and source type are both default fields, but they are entirely different otherwise, and can be easily confused.
- The source is the name of the file, stream, or other input from which a particular event originates.
- The sourcetype determines how Splunk software processes the incoming data stream into individual events according to the nature of the data.
Events with the same source type can come from different sources, for example, if you monitor source=/var/log/messages
and receive direct syslog input from udp:514
. If you search sourcetype=linux_syslog
, events from both of those sources are returned.
Under what conditions should you override host and sourcetype assignment?
Much of the time, Splunk software can automatically identify host and sourcetype values that are both correct and useful. But situations do come up that require you to intervene in this process and provide override values.
Override host assignment
You might want to change your default host
assignment when:
- You load archive data in bulk that was originally generated from a different host and you want those events to have that host value.
- You forward data from a different host. (The forwarder assigns its host name unless you specify otherwise.)
- You are working with a centralized log server environment, which means that all of the data received from that server will have the same host, even if it originated elsewhere.
For detailed information about hosts, see the chapter Configure host values.
Override sourcetype assignment
You might want to change your default sourcetype
assignment when:
- Splunk software cannot automatically format the data properly, resulting in problems such as wrong timestamping or event linebreaking.
- You want to apply source types to specific events coming through a particular input, such as events that originate from a discrete group of hosts, or even events that are associated with a particular IP address or userid.
There are also steps you can take to expand the range of source types that Splunk software automatically recognizes, or to simply rename source types.
About indexed field extraction | Assign default fields dynamically |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!