English 中文(简体)
Splunk - Field Searching
  • 时间:2024-12-22

Splunk - Field Searching


Previous Page Next Page  

When Splunk reads the uploaded machine data, it interprets the data and spanides it into many fields which represent a single logical fact about the entire data record.

For example, a single record of information may contain server name, timestamp of the event, type of the event being logged whether login attempt or a http response, etc. Even in case of unstructured data, Splunk tries to spanide the fields into key value pairs or separate them based on the data types they have, numeric and string, etc.

Continuing with the data uploaded in the previous chapter, we can see the fields from the secure.log file by cpcking on the show fields pnk which will open up the following screen. We can notice the fields Splunk has generated from this log file.

Field Search

Choosing the Fields

We can choose what fields to be displayed by selecting or unselecting the fields from the pst of all fields. Cpcking on all fields opens a window showing the pst of all the fields. Some of these fields have check marks against them showing they are already selected. We can use the check boxes to choose our fields for display.

Besides the name of the field, it displays the number of distinct values the fields have, its data type and what percentage of events this field is present in.

Field Search

Field Summary

Very detailed stats for every selected field become available by cpcking on the name of the field. It shows all the distinct values for the field, their count and their percentages.

Field Search

Using Fields in Search

The field names can also be inserted into the search box along with the specific values for the search. In the below example, we aim to find all the records for the date, 15th Oct for the host named mailsecure_log. We get the result for this specific date.

Field Search Advertisements