Re: Can you help me in Identifying metadata?

adamfrisbee · ‎01-14-2019

In the Splunk documentation for events, it lists this mock event

172.26.34.223 - - [01/Jul/2017:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953

I need help identifying the host, source, and source type of this event. I can identify the host as 172.26.34.223, the timestamp as [01/Jul/2017:12:05:27 -0700 and I believe the source here is GET /trade/app?action=logout HTTP/1.1 but what is the source type?

nikita_p · ‎01-15-2019

Hi,
I believe that source you have indexed the data, if yes then you will find host, source and sourcetype in your all fields or you can also run the following search to find source or sourcetypes
| tstats values(source) where index = * by index OR | tstats values(sourcetype) where index = * by index

dkeck · ‎01-14-2019

Hi,

in your search app you can identify your sourcetype in the field section left of your event. Sourcetype should be a selected field by default, if not, you can find it further down in alphabetical order in Interesting Fields.

somesoni2 · ‎01-14-2019

Those metadata fields are defined at data input level (host/source/sourcetype/index etc). When you setup your data monitoring, that's when you'd specify them OR default values are taken. See this for more details:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Aboutdefaultfields

Can you help me in Identifying metadata?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation