Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can you help me in Identifying metadata?

adamfrisbee
Explorer
‎01-14-2019 08:33 AM

In the Splunk documentation for events, it lists this mock event

172.26.34.223 - - [01/Jul/2017:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953

I need help identifying the host, source, and source type of this event. I can identify the host as 172.26.34.223, the timestamp as [01/Jul/2017:12:05:27 -0700 and I believe the source here is GET /trade/app?action=logout HTTP/1.1 but what is the source type?

0 Karma
Reply

nikita_p
Contributor
‎01-15-2019 01:22 AM

Hi,
I believe that source you have indexed the data, if yes then you will find host, source and sourcetype in your all fields or you can also run the following search to find source or sourcetypes
| tstats values(source) where index = * by index OR | tstats values(sourcetype) where index = * by index

0 Karma
Reply

dkeck
Influencer
‎01-14-2019 10:40 PM

Hi,

in your search app you can identify your sourcetype in the field section left of your event. Sourcetype should be a selected field by default, if not, you can find it further down in alphabetical order in Interesting Fields.

0 Karma
Reply

somesoni2
Revered Legend
‎01-14-2019 12:45 PM

Those metadata fields are defined at data input level (host/source/sourcetype/index etc). When you setup your data monitoring, that's when you'd specify them OR default values are taken. See this for more details:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Aboutdefaultfields

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...