Introduction

Splunk default fields

Splunk server adds the following default fields to each event in every index.

Field Name

Description

Values/Range

Anchor

	date_hour
	date_hour

date_hour

Indicates the hour when an event occurred. To narrow your search for specific event timestamps, you can use the default datetime fields. Click here for more information on datetime fields.

Range: 0-23

Anchor

	date_mday
	date_mday

date_mday

Indicates the day of the month when the event occurred

Range: 1-31

Anchor

	date_minute
	date_minute

date_minute

Indicates the exact minute when the event occurred

Range: 0-59

Anchor

	date_month
	date_month

date_month

Indicates the month during which an event occurred

Anchor

	date_second
	date_second

date_second

Indicates the second in which an event occurred

Range: 0-59

Anchor

	date_wday
	date_wday

date_wday

Indicates the day of the week in which an event occurred

Example: Sunday, Monday, etc.

Anchor

	date_year
	date_year

date_year

Indicates the year in which an event occurred

Anchor

	date_zone
	date_zone

date_zone

Indicates the time for the local timezone of an event, expressed as hours in Unix Time

Anchor

	eventtype
	eventtype

eventtype

Indicates events of the same type based on a given search. Click here for more information

Example: splunkd-log

Anchor

	host
	host

host

Contains information about the originating hostname or a network IP address that generates the event

Example: reporting-1.com

Anchor

	index
	index

index

Contains the name of the index with which a given event is indexed

Example: ib_dns_summary

Anchor

	linecount
	linecount

linecount

Contains information about the number of lines in an event before it is indexed

Example: 1

Anchor

	punct
	punct

punct

Contains information about the pattern of the first thirty punctuation characters in the first line of the event with which it is associated. It shows how an event looks when all letters, numbers, and spaces are removed and contains characters such as periods, colons, parentheses, quotes, question marks, dashes, and underscores. Click here for more information.

Wiki Markup
Example: -_::._\[\]:___.../_=

Anchor

	source
	source

source

Contains the name of the file, stream, or other input details from which the event originates

Example: si-search-dns-query-reply

Anchor

	sourcetype
	sourcetype

sourcetype

Specifies the format of data input from which the event originates

Stash

Anchor

	splunk_server
	splunk_server

splunk_server

Contains the name of the Splunk server that comprises the event

Example: reporting-2.com-2-slave

Anchor

	splunk_server_group
	splunk_server_group

splunk_server_group

Contains the name of the Splunk server group

String

Anchor
_Commonly_extracted_fields
_Commonly_extracted_fields
Commonly extracted fields

Field Name

Description

Values/Range

Source of Data

Anchor

	EA
	EA

EA

Specifies the extensible attribute

String

'__grouping_by_ea_tag_lookup' lookup from /storage/splunk/etc/apps/infoblox/lookups/grouping_by_ea_tag_map.csv with 'host' value as input OR'pool_ea_lookup_csv' lookup from /storage/splunk/etc/apps/infoblox/lookups/idns_pools.csv with 'pool' value as inputOR'resource_pool_ea_lookup_csv' lookup from /storage/splunk/etc/apps/infoblox/lookups/idns_resources.csv with 'RESOURCE' value as inputOR'network_ea_lookup_csv' lookup from /storage/splunk/etc/apps/infoblox/lookups/network.csv with 'NETWORK' value as input

Anchor

	HWTYPE
	HWTYPE

HWTYPE

Specifies the hardware type

Example: IB-4030

nios_member_hw_lookup' lookup from /storage/splunk/etc/apps/infoblox/lookups/nios_member_hw.csv with 'host' value as input.

Anchor

	MAX_DB_OBJECTS
	MAX_DB_OBJECTS

MAX_DB_OBJECTS

Specifies the maximum objects in the database for a host

'nios_member_hw_lookup' lookup from /storage/splunk/etc/ap. Example: 8000000.

Anchor

	MAX_DHCP_LPS
	MAX_DHCP_LPS

MAX_DHCP_LPS

Specifies the maximum number of DHCP leases per second for a host

Example: 15.0

'nios_member_hw_lookup' lookup from /storage/splunk/etc/apps/infoblox/lookups/nios_member_hw.csv with 'host' value as input.

Anchor

	MAX_DNS_QPS
	MAX_DNS_QPS

MAX_DNS_QPS

Specifies the maximum DNS queries per second for a host

Example: 1000000.0

'nios_member_hw_lookup' lookup from /storage/splunk/etc/apps/infoblox/lookups/nios_member_hw.csv with 'host' value as input.

Anchor

	Member_IP
	Member_IP

MEMBER_IP

Specifies the IP address of the member

IP address

'nios_member_ip_lookup' lookup from /storage/splunk/etc/apps/infoblox/lookups/nios_member_ip.csv with 'host' value as input

Anchor

	timeendpos
	timeendpos

timeendpos

Specifies the byte at which the timestamp ends. These values are based on the TIME_FORMAT that is specified for a sourcetype under props.conf.

Example: 26

Anchor

	timestartpos
	timestartpos

timestartpos

Specifies the byte at which the timestamp starts

Example: 0

...

Extracted Field Name	Description of the field	Values/Range	Source of Data
ActionACTION	Indicates the action taken	String. Example: Called	Infoblox audit logs
ADMIN	Indicates the name of the admin	String. Example: root	Infoblox audit logs
EA	Common Extracted fields
EXEC_STATUS	Indicates the execution status	String. Example: Pending Approval	Infoblox audit logs
HWTYPE	Common Extracted fields
MAX_DB_OBJECTS	Common Extracted fields
MAX_DHCP_LPS	Common Extracted fields
MAX_DNS_QPS	Common Extracted fields
MEMBER_IP	Common Extracted fields
MESSAGE	Indicates the message	String. Example: to=Serial 040Console apparently_via=Direct auth=Local group=.admin-group	Infoblox audit logs
OBJECT_NAME	Indicates the object name	String. Example: RequestRestartServiceStatus	Infoblox audit logs
OBJECT_TYPE	Indicates the object type	String. Example: Shared AAAA Record	Infoblox audit logs
TIMESTAMP	Indicates the timestamp	Timestamp. Example: 2017-01-31 01:57:05	Infoblox audit logs
action	Indicates the action	Example: update, insert	Infoblox audit logs
address		Example: 10.0.0.0	Infoblox audit logs
auth		Example: Local	Infoblox audit logs
cidr		Example: 8	Infoblox audit logs
code		Example: created	Infoblox audit logs
comment		String	Infoblox audit logs
date_hour	Splunk Default field
date_mday	Splunk Default field
date_minute	Splunk Default field
date_month	Splunk Default field
date_second	Splunk Default field
date_wday	Splunk Default field
date_year	Splunk Default field
date_zone	Splunk Default field
eventtype	Splunk Default field
group		Example: admin-group	Infoblox audit logs
host	Splunk Default field
index	Splunk Default field
linecount	Splunk Default field
member		Example: Member:infoblox.localdomain	Infoblox audit logs
network_view		Example: default	Infoblox audit logs
punct	Splunk Default field
source	Splunk Default field
sourcetype	Splunk Default field
splunk_server	Splunk Default field
splunk_server_group	Splunk Default field
user		Example: admin	Infoblox audit logs

...

Extracted Field Name

Description of the field

Values/Range

Source of Data

CLIENT

Indicates the DNS client

String

Infoblox DNS query

COUNT

Indicates the count

Integer

Infoblox DNS query and DNS Record Scavenging

EA

Common Extracted fields

FQDN

Indicates the FQDN

String

Infoblox DNS query

HITS

Indicates the DNS cache hits count

Integer

Infoblox DNS query

HNAME

Indicates the HNAME

String

Infoblox DNS query

HWTYPE

Common Extracted fields

LATENCY

Indicates the latency count

Integer

Infoblox DNS performance

MAX_DB_OBJECTS

Common Extracted fields

MAX_DHCP_LPS

Common Extracted fields

MAX_DNS_QPS

Common Extracted fields

MEMBER

Specifies the member

String

DNS Record Scavenging

MEMBER_IP

Common Extracted fields

MISSES

Specifies DNS cache miss count

Integer

Infoblox DNS query

QCOUNT

Specifies query count

Integer

Infoblox DNS query

REST

String

Infoblox DDNS

SOURCE

String

Infoblox DDNS

SOURCEA

IP address

Infoblox DDNS

TLD

Specifies the top-level domain name

String

Infoblox DNS query

TYPE

RR Type

String. Example: nxdomain

Infoblox DNS query and DNS Record Scavenging

TYPEA

String. Example: Success

Infoblox DDNS

VIEW

It refers to the DNS view key to map DNS view through lookup. See display_name field.

String

Infoblox DNS query

ZONE

Indicates the name of the zone

String

Infoblox DDNS

date_hour

Extracted Field Name	Description of the field	Reports	Values/Range	Source of Data	Remarks
CLIENT	Specifies the IP address of the DNS client		Example: 10.39.18.60
COUNT	Specifies the count of DNS queries	si_dns_top_clients	Integer
	Specifies the count of SERVFAIL errors that are received for DNS clients	si_top_servfail_received_queries	Integer
	Specifies the count of NXDOMAIN/NOERROR replies for DNS clients	si_top_nxdomain_query	Integer
	Specifies the count of DNS domain name requests	si_dns_requested_domain	Integer
	Specifies the count of DNS queries per second	si_dns_qps_trend	Integer
	Specifies the count of DNS SERVFAIL errors that are sent for DNS queries	si_top_servfail_sent_queries	Integer
	Specifies the count of DNS timed-out recursive queries	si_top_timeout_queries	Integer
	Specifies the average count of DNS RPX hits	si_dns_rpz_hits	Integer
	Specifies the count of DNS clients per domain	si_top_clients_per_domain	Integer
EA	Common Extracted fields
FQDN	Specifies the fully qualified domain name	si_dns_requested_domain, si_top_clients_per_domain	Example: 213.31.102.10.in-addr.arpa
HWTYPE	Common Extracted fields
MAX_DB_OBJECTS	Common Extracted fields
MAX_DHCP_LPS	Common Extracted fields
MAX_DNS_QPS	Common Extracted fields
MEMBER	Specifies the member		String	Infoblox DNS Summary
MEMBER_IP	Common Extracted fields
TLD	Specifies top level domain names	si_dns_requested_domain	Example: arpa
TYPE	Specifies the DNS response type	si_dns_query_reply, si_dns_qps_trend, si_ddns_update	SUCCESS/NOERROR or REFERRAL or NXRRSET or NXDOMAIN or REFUSED or OTHER
VIEW	It refers to the DNS view key to map DNS view through lookup. See display_name field.	si_dns_requested_domain, si_dns_top_clients, si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend, si_dns_qps_trend, si_ddns_update, si_dns_cache_hit_ratio, si_dns_rpz_hits, si_top_clients_per_domain, si_top_timeout_queries, si_top_servfail_sent_queries, si_top_nxdomain_query, si_top_servfail_received_queries	Example: _default
date_hour	Splunk Default field
date_mday	Splunk Default field
date_minute	Splunk Default field
date_month	Splunk Default field
date_second	Splunk Default field
date_wday	Splunk Default field
date_year	Splunk Default field
date_zone	Splunk Default field
display_name	Specifies the DNS view	si_dns_requested_domain, si_dns_top_clients, si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend, si_dns_qps_trend, si_ddns_update, si_dns_cache_hit_ratio, si_dns_rpz_hits, si_top_clients_per_domain, si_top_timeout_queries, si_top_servfail_sent_queries, si_top_nxdomain_query, si_top_servfail_received_queries	Example: default.MS-2016		Lookup from dns_viewkey_displayname.csv using the VIEW field value.
eventtype	Splunk Default field
host	Splunk Default field
index	Splunk Default field
info_max_time	Common summary index fields
info_min_time	Common summary index fields
info_search_time	Common summary index fields
linecount	Splunk Default field
orig_host	Specifies the host name of the data source		Example: infoblox.com		Splunk added default field
psrsvd_ct_COUNT	Here, ct = count. Contains the count information for the COUNT field.	si_dns_query_reply,si_dns_qps_trend			Splunk added special field
psrsvd_ct_LATENCY	Contains the count information for the LATENCY field	si_dns_response_latency_trend			Splunk added special field
psrsvd_ct_QCOUNT	Contains the count information for the QCOUNT field	si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend			Splunk added special field
psrsvd_gc	Here, gc = group count. It indicates the count for stats "grouping" and it is not scoped to a single field.	si_dns_query_reply, si_dns_response_latency_trend, si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend, si_dns_qps_trend			Splunk added special field
psrsvd_nc_COUNT	Here, nc = numerical count. It indicates the number of numerical values and contains the numerical count information for the COUNT field.	si_dns_query_reply, si_dns_qps_trend			Splunk added special field
psrsvd_nc_LATENCY	Contains the numerical count information for the LATENCY field	si_dns_response_latency_trend			Splunk added special field
psrsvd_nc_QCOUNT	Contains the numerical count information for the QCOUNT field	si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend			Splunk added special field
psrsvd_nx_QCOUNT	Here, nx = maximum numerical value. Contains the maximum numerical value information for the QCOUNT field.	si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day			Splunk added special field
psrsvd_sm_COUNT	Here, sm = sum. Contains the sum information for the COUNT field.	si_dns_query_reply, si_dns_qps_trend			Splunk added special field
psrsvd_sm_LATENCY	Contains the sum information for the LATENCY field.	si_dns_response_latency_trend			Splunk added special field
psrsvd_sm_QCOUNT	Contains the sum information for the QCOUNT field	si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend			Splunk added special field
psrsvd_sx_QCOUNT	Here, sx = maximum lexicographical value. Contains the maximum lexicographical value information for the QCOUNT field	si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day			Splunk added special field
psrsvd_v	Here, v = versio. This is not scoped to a single field.	si_dns_query_reply, si_dns_response_latency_trend, si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend, si_dns_qps_trend			Splunk added special field
psrsvd_vt_COUNT	Here, vt = value type. Contains precision of the associated field. This field contains precision of the COUNT field.	si_dns_query_reply, si_dns_qps_trend			Splunk added special field
psrsvd_vt_LATENCY	Contains precision of the LATENCY field	si_dns_response_latency_trend			Splunk added special field
psrsvd_vt_QCOUNT	Contains precision of the QCOUNT field	si_dns_member_qps_trend_per_hour, si_dns_member_qps_trend_per_day, si_dns_member_qps_trend			Splunk added special field
report	Contains the name of the report that populates the summary index
	DNS Scavenge Object Count Trend data	si_dns_reclaimed_object_count_trend
	DNS Top Clients report data	si_dns_top_clients
	DNS Replies Trend data	si_dns_query_reply
	DNS Top SERVFAIL Errors Received Report data	si_top_servfail_received_queries
	DNS Response Latency Trend data	si_dns_response_latency_trend
	DNS Daily Peak Hour Query Rate by Member Report data	si_dns_member_qps_trend_per_hour
	DNS Top NXDOMAIN / NOERROR (no data) Report data	si_top_nxdomain_query
	DNS Daily Query Rate by Member Report data	si_dns_member_qps_trend_per_day
	DNS Query Rate by Member Report data	si_dns_member_qps_trend
	DNS Top Requested Domain Names Report data	si_dns_requested_domain
	DNS Queries Per Second Trend data	si_dns_qps_trend
	DNS Top SERVFAIL Errors Sent Report data	si_top_servfail_sent_queries
	DDNS Update Rate Trend data	si_ddns_update
	DNS Cache Hit Rate Trend data	si_dns_cache_hit_ratio
	DNS Top Timed-Out Recursive Queries Report data	si_top_timeout_queries
	DNS RPZ Hits Reports data	si_dns_rpz_hits
	DNS Top Clients per Domain Report data	si_top_clients_per_domain
search_name	Common summary index fields
search_now	Common summary index fields
source	Splunk Default field
sourcetype	Splunk Default field
splunk_server	Splunk Default field
splunk_server_group	Splunk Default field
timeendpos	Common extracted fields
timestartpos	Common extracted fields

Page Comparison

Versions Compared

Old Version 9

New Version 10

Key

Splunk default fields

Anchor_Commonly_extracted_fields_Commonly_extracted_fieldsCommonly extracted fields

Anchor
_Commonly_extracted_fields
_Commonly_extracted_fields
Commonly extracted fields