Use default fields
Fields are searchable name-value pairs in event data. When you search, you're matching search terms against segments of your event data; you can search more precisely by using fields. Fields are extracted from event data at either index time or search time. The fields that are extracted automatically at index time are known as default fields.
Default fields serve a number of purposes. For example, the default field index
identifies the index in which the event is located. The default field linecount
describes the number of lines the event contains, and timestamp
specifies the time at which the event occurred. Splunk software uses the values in some of the fields, particularly sourcetype
, when indexing the data, in order to create events properly. After the data has been indexed, you can use the default fields in your searches.
For more information on using default fields in search commands, see About the search language in the Search Manual. For information on configuring default fields, see About default fields in the Getting Data In manual.
Type of field | List of fields | Description |
---|---|---|
Internal fields | _raw, _time, _indextime, _cd, _bkt
|
Contain general information about events. |
Default fields | host, index, linecount, punct, source, sourcetype, splunk_server, timestamp
|
These are fields that contain information about where an event originated, in which index it's located, what type it is, how many lines it contains, and when it occurred. These fields are indexed and added to the Fields menu by default. |
Default datetime fields | date_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone
|
These are fields that provide additional searchable granularity to event timestamps.
Note: Only events that have timestamp information in them as generated by their respective systems will have date_* fields. If an event has a date_* field, it represents the value of time/date directly from the event itself. If you have specified any timezone conversions or changed the value of the time/date at indexing or input time (for example, by setting the timestamp to be the time at index or input time), these fields will not represent that. |
A field can have more than one value. See Manipulate and evaluate fields with multiple values.
You can extract non-default fields with Splunk Web or by using extracting search commands. See About fields.
You might also want to change the name of a field, or group it with other similar fields. This is easily done with tags or aliases for the fields and field values. See Tag field value pairs in Search.
This topic discusses the internal and other default fields that Splunk software automatically adds when you index data.
Internal fields
Fields that begin with an underscore are internal fields.
Do not override internal fields unless you are absolutely sure you know what you are doing.
_raw
The _raw
field contains the original raw data of an event. The search
command uses the data in _raw
when performing searches and data extraction.
You cannot always search directly on values of _raw
, but you can filter on _raw
with commands like regex
or sort
.
Example: Return sendmail events that contain an IP address that starts with 10
.
eventtype=sendmail | regex _raw=*10.\d\d\d\.\d\d\d\.\d\d\d\*
_time
The _time
field contains an event's timestamp expressed in UNIX time. This field is used to create the event timeline in Splunk Web.
Note: The _time
field is stored internally in UTC format. It is translated to human-readable Unix time format when Splunk software renders the search results (the very last step of search time event processing).
Example: Search all sources of type mail
for mail addressed to the user strawsky@bigcompany.com
. Then sort the search results by timestamp.
sourcetype=mail to=strawsky@bigcompany.com | sort _time
_indextime
The _indextime
field contains the time that an event was indexed, expressed in Unix time. You might use this field to focus on or filter out events that were indexed within a specific range of time. Because _indextime
is a hidden field, it will not be displayed in search results unless renamed or used with an eval
.
_cd
The _cd
field provides an address for an event within the index. It is composed of two numbers, a short number and a long number. The short number indicates the specific index bucket that the event resides in. The long number is an index bucket offset. It provides the exact location of the event within its bucket. Because _cd
is a hidden field, it will not be displayed in search results unless renamed or used with an eval
. Because _cd
is used for internal reference only, we do not recommend that you set up searches that involve it.
_bkt
The _bkt
field contains the id of the bucket that an event is stored in. Because _bkt
is a hidden field, it will not be displayed in search results unless renamed or used with an eval
.
Other default fields
host
The host
field contains the originating hostname or IP address of the network device that generated the event. Use the host
field to narrow searches by specifying a host
value that events must match. You can use wildcards to specify multiple hosts with a single expression (Example: host=corp*
).
You can use host
to filter results in data-generating commands, or as an argument in data-processing commands.
Example 1: Search for events on all corp
servers for accesses by the user strawsky
. It then reports the 20 most recent events.
host=corp* eventtype=access user=strawsky | head 20
Example 2: Search for events containing the term 404
, and are from any host that starts with 192
.
404 | regex host=*192.\d\d\d\.\d\d\d\.\d\d\d\*
index
Theindex
field contains the name of the index in which a given event is indexed. Specify an index to use in your searches by using: index="name_of_index"
. By default, all events are indexed in the main
index.
Example: Search the myweb
index for events that have the .php
extension.
index="myweb" *.php
linecount
The linecount
field contains the number of lines an event contains. This is the number of lines an event contains before it is indexed. Use linecount
to search for events that match a certain number of lines, or as an argument in data-processing commands. To specify a matching range, use a greater-than and less-than expression (Example: linecount>10 linecount<20
).
Example: Search corp1 for events that contain 40
and have 40 lines, and omit events that contain 400.
40 linecount=40 host=corp1 NOT 400
punct
The punct
field contains a punctuation pattern that is extracted from an event. The punctuation pattern is unique to types of events. Use punct
to filter events during a search or as a field argument in data-processing commands.
You can use wildcards in the punct
field to search for multiple punctuation patterns that share some common characters that you know you want to search for. You must use quotation marks when defining a punctuation pattern in the punct
field.
Example 1: Search for all punctuation patterns that start and end with :
punct=":*:"
Example 2: Search the php_error.log
for php error events that have the punctuation pattern [--_::]__:___:____/-..-///.___"
.
source="/var/www/log/php_error.log" punct="[--_::]__:___:____''/-..-''///.___"
source
The source
field contains the name of the file, stream, or other input from which the event originates. Use source
to filter events during a search, or as an argument in a data-processing command. You can use wildcards to specify multiple sources with a single expression (Example: source=*php.log*
).
You can use source
to filter results in data-generating commands, or as an argument in data-processing commands.
Example: Search for events from the source /var/www/log/php_error.log
.
source="/var/www/log/php_error.log"
sourcetype
The sourcetype
field specifies the format of the data input from which the event originates, such as access_combined
or cisco_syslog
. Use sourcetype
to filter events during a search, or as an argument in a data-processing command. You can use wildcards to specify multiple sources with a single expression (Example: sourcetype=access*
).
Example: Search for all events that are of the source type access log
.
sourcetype=access_log
splunk_server
The splunk_server
field contains the name of the Splunk server containing the event. Useful in a distributed Splunk environment.
Example: Restrict a search to the main index on a server named remote
.
splunk_server=remote index=main 404
timestamp
The timestamp
field contains an event's timestamp value. You can configure the method that is used to extract timestamps. You can use timestamp
as a search
command argument to filter your search.
For example, you can add timestamp=none
to your search to filter your search results to include only events that have no recognizable timestamp value.
Example: Return the number of events in your data that have no recognizable timestamp.
timestamp=none | stats count(_raw) as count
Default datetime fields
You can use datetime fields to filter events during a search or as a field argument in data-processing commands.
If you are located in a different timezone from the Splunk server, time-based searches use the timestamp of the event as specified on the server where the event was indexed. The datetime values are the literal values parsed from the event when it is indexed, regardless of its timezone. So, a string such as 05:22:21
will be parsed into indexed fields: date_hour::5 date_minute::22 date_second::21
.
date_hour
The date_hour
field contains the value of the hour in which an event occurred (range: 0-23). This value is extracted from the event's timestamp (the value in _time
).
Example: Search for events with the string apache
that occurred between 10pm and 12am on the current day.
apache (date_hour >= 22 AND date_hour <= 24)
date_mday
The date_mday
field contains the value of the day of the month on which an event occurred (range: 1-31). This value is extracted from the event's timestamp (the value in _time
).
Example: Search for events containing the string apache
that occurred between the 1st and 15th day of the current month.
apache (date_mday >= 1 AND date_mday <= 15)
date_minute
The date_minute
field contains the value of the minute in which an event occurred (range: 0-59). This value is extracted from the event's timestamp (the value in _time
).
Example: Search for events containing the string apache
that occurred between the 15th and 20th minute of the current hour.
apache (date_minute >= 15 AND date_minute <= 20)
date_month
The date_month
field contains the value of the month in which an event occurred. This value is extracted from the event's timestamp (the value in _time
).
Example: Search for events with the string apache
that occurred in January.
apache date_month=1
date_second
The date_second
field contains the value of the seconds portion of an event's timestamp (range: 0-59). This value is extracted from the event's timestamp (the value in _time
).
Example: Search for events containing the string apache
that occurred between the 1st and 15th second of the current minute.
apache (date_second >= 1 AND date_second <= 15)
date_wday
The date_wday
field contains the day of the week on which an event occurred (Sunday, Monday, etc.). The date is extracted from the event's timestamp (the value in _time
) and determines what day of the week that date translates to. This day of the week value is then placed in the date_wday
field.
Example: Search for events containing the string apache
that occurred on Sunday.
apache date_wday="sunday"
date_year
The date_year
field contains the value of the year in which an event occurred. This value is extracted from the event's timestamp (the value in _time
).
Example: Search for events containing the string apache
that occurred in 2008.
apache date_year=2008
date_zone
The date_zone
field contains the value of time for the local timezone of an event, expressed as hours in Unix Time. This value is extracted from the event's timestamp (the value in _time
). Use date_zone
to offset an event's timezone by specifying an offset in minutes (range: -720 to 720).
Example: Search for events containing the string apache
that occurred in the current timezone (local).
apache date_zone=local
About fields | When Splunk software extracts fields |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 8.2.2201, 8.2.2202, 8.2.2112, 9.0.2205, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!