![]() Search is the primary way users navigate data in Splunk software. Events are retrieved from one or more indexes during a search. By default, data is stored in the “main” index. You can create new indexes for different inputs. When data is added, Splunk software parses the data into individual events, extracts the timestamp, applies line-breaking rules, and stores the events in an index. Fields are extracted from the raw text for the event. When a search starts, referred to as search-time, indexed events are retrieved from disk. Each event is written to an index on disk, where the event is later retrieved with a search request. Line-breaking rules are applied to segment the events to display in the search results. Timestamps are extracted, and the data is parsed into individual events. Index-Time and Search-Timeĭuring index-time processing, data is read from a source on a host and is classified into a source type. Use tags to group related field values together, or to track abstract field values such as IP addresses or ID numbers by giving them more descriptive names. You can assign one or more tags to any field/value combination, including event types, hosts, sources, and source types. TagsĪ tag is a knowledge object that enables you to search for events that contain particular field values. Use the Field Extractor tool to automatically generate and validate field extractions at searchtime using regular expressions or delimiters such as spaces, commas, or other characters. When Splunk software processes events at index-time and search-time, the software extracts fields based on configuration file definitions and user-defined patterns. Using fields, you can write tailored searches to retrieve the specific events that you want. Not all events have the same fields and field values. ![]() For example, events from the fileįields are searchable name and value pairings that distinguish one event from another. Host, Source, and Source TypeĮvents with the same source types can come from different sources. ![]() Some common source types are HTTP web server logs and Windows event logs. Sources are classified into source types, which can be either well known formats or formats defined by the user. A source is the name of the file, directory, data stream, or other input from which a particular event originates. It can be used to find all data originating from a specific device. Metric data points and events can be searched and correlated together, but are stored in separate types of indexes.Ī host is the name of the physical or virtual device where an event originates. kb=345ĭimensions: hq=us-west-1, group=queue, name=azd Dimensions provide additional information about the measurements. A measurement is a metric name and corresponding numeric value. MetricsĪ metric data point consists of a timestamp and one or more measurements. Transactions can represent a multistep business-related activity, such as all events related to a single customer session on a retail website. You can also define transactions to search for and group together events that are conceptually related but span a duration of time. This is an example of an event in a web activity log:ġ73.26.34.223 - “GET /trade/ app?action=logout HTTP/1.1” 200 2953 Text document, a configuration file, an entire stack trace, and so on. It is a single entry of data and can have one or multiple lines.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |