If an event has a date_* field, it represents the value of time/date directly from the event itself. Note: Only events that have timestamp information in them as generated by their respective systems will have date_* fields. These fields provide additional searchable granularity to event timestamps. These fields provide basic information about an event, such as where it originated, what kind of data it contains,what index it's located in, how many lines it contains, and when it occurred.ĭate_hour, date_mday, date_minute, date_month, date_second, date_wday, date_year, date_zone Host, index, linecount, punct, source, sourcetype, splunk_server, timestamp These fields contain information that Splunk software uses for its internal processes. The complete list of default fields follows: Once the data has been indexed, you can use the default fields in your searches. ![]() Splunk software uses the values in some of the fields, particularly sourcetype, when indexing the data, in order to create events properly. The default field timestamp specifies the time at which the event occurred.The default field linecount describes the number of lines the event contains.The default field index identifies the index in which the event is located.The fields that are added automatically are known as default fields.ĭefault fields serve a number of purposes: These fields become part of the index event data. When Splunk software indexes data, it tags each event with a number of fields. About default fields (host, source, sourcetype, and more)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |