All throughout this chapter, you have been running Splunk search queries that have returned data. It is important to understand what events and fields are before we go any further, for an understanding of these is essential to comprehending what happens when you run Splunk on the data.
In Splunk, data is classified into events and is like a record, such as a log file entry or other type of input data. An event can have many different attributes or fields or just a few. When you run a successful search query, you will see events returned from the Splunk indexes the search is being run against. If you are looking at live streaming data, events can come in very quickly through Splunk.
Every event is given a number of default fields. For a complete listing, go to http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Aboutdefaultfields. We will now go through some of these default fields:
- Timestamp: A timestamp is applied as the event is indexed in Splunk. Splunk typically determines what timestamp to assign from the raw data it receives. For example, as a shopper clicks on the final purchase button on an e-commerce website, data is collected about precisely when the sale occurred. Splunk can usually automatically detect this from the raw data.
- Host: The host field tells us what the hostname, IP address, or full domain name of the data is.
- Index: The index field describes where the event is stored, giving the specific name of the index.
- Source: The source field tells us where the data came from, specifically the file, data stream, or other data input.
- Sourcetype: The sourcetype is the format of the data input from which the data came. Common sourcetypes are access_combined, access_custom, and cisco_syslog.
- Linecount: The linecount is simply the number of lines contained in the event.
These default fields are key/value pairings that are added to events when Splunk indexes data. Think of fields as a quick way to categorize and group events. Fields are the primary constituents of all search queries. In later chapters, you will learn more about fields and how to create custom fields from events.