Understanding metadata fields
The following list details the default metadata fields assigned by Splunk during the inputs phase. Note that field names are always case-sensitive. We will discuss the different phases that data goes through in the Data indexing phases section:
host– This describes from which host, device, or machine the data originates.source– This represents the input source or origin of the indexed data.sourcetype– The type of machine data. For example, on Windows hosts, we may seeWinEventLogsorActiveDirectory.index– This allows us to provide an index name in theinputs.conffile; otherwise,mainis used by default._time– This records the time of the event in Unix-epoch format. Splunk tries to automatically detect this during the parsing phase, or alternatively the administrator can configure this through thesourcetypesettings.
If the data input doesn’t specify metadata fields in...
