Database Reference
In-Depth Information
Examining the Twitter event
Before going further, it is useful to stop and closely examine the events that are collected as
part of the search. The sample tweet shown in the following screenshot shows the large
number of fields that are part of each tweet. The
>
was clicked to expand the event:
A Twitter event
There are several items to look closely at here:
1.
_time
: Splunk assigns a timestamp for every event. This is done in UTC (Coordin-
ated Universal Time) time format.
2.
contributors
: The value for this field is null, as are the values of many Twitter
fields.
3.
Retweeted_status
: Notice the {+} here; in the following event list, you will see
there are a number of fields associated with this, which can be seen when the + is
selected and the list is expanded. This is the case wherever you see a {+} in a list
of fields:
