Database Reference
In-Depth Information
Fields
Each event in Splunk is associated with a number of fields. The core fields of host, course,
sourcetype, and timestamp are key to Splunk. These fields are extracted from events at
multiple points in the data processing pipeline that Splunk uses, and each of these fields in-
cludes a name and a value. The name describes the field (such as the
userid
) and the
value says what that field's value is (
susansmith
, for example). Some of these fields are
default fields that are given because of where the event came from or what it is. When data
is processed by Splunk, and when it is indexed or searched, it uses these fields. For index-
ing, the default fields added include those of host, source, and sourcetype. When searching,
Splunk is able to select from a bevy of fields that can either be defined by the user or are
very basic, such as action results in a purchase (for a website event). Fields are essential for
doing the basic work of Splunk - that is, indexing and searching.
