Fields are searchable key/value pairs in your event data
Fields can be searched by their name, for example:
area_code=404
action=purchase status=200
When you look for multiple items in the editor an implied AND will be implied unless specified otherwise (AND, OR, NOT) to the search as follows
action=purchase AND status=200
Field Discovery
Splunk automatically discovers many fields based on the sourcetype and key/value pairs in the data
Prior to the search as explained before, some fields are stored with the event in the index
- Meta fields – host, source, sourcetype and index
- Internal fields _time and _raw
Fields Sidebar
When records are displayed, you will notice the following 2
Selected Fields
This is a set of configurable fields that are displayed for each event
Interesting Fields
These are fields that are presented at least 20% of the time in the collection of events
In the case of any missing fields as part of your Selected Fields you can click on the All Fields link and select the ones you want to show up on the Selected fields
There are very efficient ways to pinpoint searches and refine results as follows
Very Important
Field Names ARE case Sensitive, Field Values are NOT Case sensitive
Search Modes
- Fast – Emphasizes speed over completeness
- Smart – Balances Speed and Completeness (Default Behavior)
- Verbose – Emphasises completeness over speed, allows access to underlying events when using reporting or statistical commands
What is next?
Search Language Syntax
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.