Databases Reference
In-Depth Information
Next we find the search bar. This is where the magic starts. We'll go into great
detail shortly.
The
All indexed data
panel shows statistics for all indexed data. Remember that this
only reflects indexes that this particular user searches by default. There are other
events that are indexed by Splunk, including events Splunk indexes about itself.
We will discuss indexes in
Chapter 9
,
Building Advanced Dashboards
.
The next three panels give a breakdown of your data using three important pieces of
metadata—
source
,
sourcetype
, and
host
.
A
source
in Splunk is a unique path or name. In a large installation, there may be
thousands of machines submitting data, but all data at the same path across these
machines counts as one source. When the data source is not a file, the value of the
source can be arbitrary, for instance the name of a script or network port.
A
source type
is an arbitrary categorization of events. There may be many sources
across many hosts in the same source type. For instance, given the sources
/var/
log/access.2012-03-01.log
and
/var/log/access.2012-03-02.log
on the
hosts
fred
and
wilma
, you could reference all of these logs with source type access
or any other name you like.
Search WWH ::
Custom Search