Databases Reference
In-Depth Information
° Next appear any workflow actions that have been configured.
Workflow actions let you create new searches or links to other
sites using data from an event. We will discuss workflow actions
in
Chapter 6
,
Extending Search
.
• Next comes the parsed date from this event, displayed in the time zone
selected by the user. This is an important and often confusing distinction.
In most installations, everything is in one time zone—the servers, the user,
and the events. When one of these three things is not in the same time zone
as the others, things can get confusing. We will discuss time in great detail
in
Chapter 2
,
Understanding Search
.
• Next, we see the raw event itself. This is what Splunk saw as an event.
With no help, Splunk can do a good job finding the date and breaking
lines appropriately, but as we will see later, with a little help, event
parsing can be more reliable and more efficient.
• Below the event are the fields that were selected in the field picker.
Clicking on the value adds the field value to the search. Each field
value also has a menu:
°
Tag fieldname=value
allows you to create a tag that can be used
for classification of events. We will discuss tags in
Chapter 6
,
Extending Search
.
°
Report on field
launches a wizard showingv the values of this field
over time.
° Workflow actions can also appear in these field menus, allowing
you to create actions that link to new searches or external sites
by using a particular field value.
Search WWH ::
Custom Search