Use default fields

Use default fields

Fields are searchable name-value pairs in event data. When you search, you're matching search
terms against segments of your event data; you can search more precisely by using fields. Fields are
extracted from event data at either index time or search time. The fields that are extracted
automatically at index time are known as default fields.
Default fields serve a number of purposes. For example, the default field index identifies the index
in which the event is located. The default field linecount describes the number of lines the event
contains, and timestamp specifies the time at which the event occurred. Splunk software uses the
values in some of the fields, particularly sourcetype , when indexing the data, in order to create
events properly. After the data has been indexed, you can use the default fields in your searches.
For more information on using default fields in search commands, see About the search language in
the Search Manual. For information on configuring default fields, see About default fields in the
Getting Data In manual.
Type of
List of fields Description
field

Internal _raw, _time,

Contain general information about events.
fields _indextime, _cd, _bkt

host, index, These are fields that contain information about where
linecount, punct, an event originated, in which index it's located, what
Default
source, sourcetype, type it is, how many lines it contains, and when it
fields
splunk_server, occurred. These fields are indexed and added to the
timestamp Fields menu by default.

These are fields that provide additional searchable

granularity to event timestamps.

date_hour, date_mday, Note: Only events that have timestamp information in

date_minute, them as generated by their respective systems will
Default have date_* fields. If an event has a date_* field, it
date_month,
datetime represents the value of time/date directly from the
date_second,
fields event itself. If you have specified any timezone
date_wday, date_year,
date_zone conversions or changed the value of the time/date at
indexing or input time (for example, by setting the
timestamp to be the time at index or input time), these
fields will not represent that.

A field can have more than one value. See Manipulate and evaluate fields with multiple values.

1 Copyright 2025 Splunk. All rights reserved.

 Use default fields

You might also want to change the name of a field, or group it with other similar fields. This is easily
done with tags or aliases for the fields and field values. See Tag field value pairs in Search.
This topic discusses the internal and other default fields that Splunk software automatically adds
when you index data.

Internal fields
Fields that begin with an underscore are internal fields.

 NOTE: Do not override internal fields unless you are absolutely sure you know what you are
doing.

_raw
The _raw field contains the original raw data of an event. The search command uses the data in
_raw when performing searches and data extraction.
You cannot always search directly on values of _raw , but you can filter on _raw with commands
like regex or sort .
Example: Return sendmail events that contain an IP address that starts with 10 .

eventtype=sendmail | regex _raw=*10.\d\d\d\.\d\d\d\.\d\d\d\*

_time
The _time field contains an event's timestamp expressed in UNIX time. This field is used to create
the event timeline in Splunk Web.
Note: The _time field is stored internally in UTC format. It is translated to human-readable Unix
time format when Splunk software renders the search results (the very last step of search time event
processing).
Example: Search all sources of type mail for mail addressed to the user
strawsky@[Link] . Then sort the search results by timestamp.

sourcetype=mail to=strawsky@[Link] | sort _time

2 Copyright 2025 Splunk. All rights reserved.

Use default fields

_indextime
The _indextime field contains the time that an event was indexed, expressed in Unix time. You
might use this field to focus on or filter out events that were indexed within a specific range of time.
Because _indextime is a hidden field, it will not be displayed in search results unless renamed or
used with an eval .

_cd
The _cd field provides an address for an event within the index. It is composed of two numbers, a
short number and a long number. The short number indicates the specific index bucket that the event
resides in. The long number is an index bucket offset. It provides the exact location of the event
within its bucket. Because _cd is a hidden field, it will not be displayed in search results unless
renamed or used with an eval . Because _cd is used for internal reference only, we do not
recommend that you set up searches that involve it.

_bkt
The _bkt field contains the id of the bucket that an event is stored in. Because _bkt is a hidden
field, it will not be displayed in search results unless renamed or used with an eval .

Other default fields

host
The host field contains the originating hostname or IP address of the network device that
generated the event. Use the host field to narrow searches by specifying a host value that
events must match. You can use wildcards to specify multiple hosts with a single expression
(Example: host=corp* ).
You can use host to filter results in data-generating commands, or as an argument in data-
processing commands.
Example 1: Search for events on all corp servers for accesses by the user strawsky . It then
reports the 20 most recent events.

host=corp* eventtype=access user=strawsky | head 20

3 Copyright 2025 Splunk. All rights reserved.

 Use default fields

Example 2: Search for events containing the term 404 , and are from any host that starts with 192 .

404 | regex host=*192.\d\d\d\.\d\d\d\.\d\d\d\*

index
The index field contains the name of the index in which a given event is indexed. Specify an index
to use in your searches by using: index="name_of_index" . By default, all events are indexed in
the main index.
Example: Search the myweb index for events that have the .php extension.

index="myweb" *.php

linecount
The linecount field contains the number of lines an event contains. This is the number of lines an
event contains before it is indexed. Use linecount to search for events that match a certain
number of lines, or as an argument in data-processing commands. To specify a matching range, use
a greater-than and less-than expression (Example: linecount>10 linecount<20 ).
Example: Search corp1 for events that contain 40 and have 40 lines, and omit events that contain
400.

40 linecount=40 host=corp1 NOT 400

punct
The punct field contains a punctuation pattern that is extracted from an event. The punctuation
pattern is unique to types of events. Use punct to filter events during a search or as a field
argument in data-processing commands.
You can use wildcards in the punct field to search for multiple punctuation patterns that share
some common characters that you know you want to search for. You must use quotation marks when

4 Copyright 2025 Splunk. All rights reserved.

Use default fields

defining a punctuation pattern in the punct field.

Example 1: Search for all punctuation patterns that start and end with :

punct=":*:"

Example 2: Search the php_error.log for php error events that have the punctuation pattern
[--_::]__:___:____/-..-///.___" .

source="/var/www/log/php_error.log" punct="[--_::]__:___:____''/-..-
''///.___"

source
The source field contains the name of the file, stream, or other input from which the event
originates. Use source to filter events during a search, or as an argument in a data-processing
command. You can use wildcards to specify multiple sources with a single expression (Example:
source=*[Link]* ).
You can use source to filter results in data-generating commands, or as an argument in data-
processing commands.
Example: Search for events from the source /var/www/log/php_error.log .

source="/var/www/log/php_error.log"

sourcetype
The sourcetype field specifies the format of the data input from which the event originates, such
as access_combined or cisco_syslog . Use sourcetype to filter events during a search, or
as an argument in a data-processing command. You can use wildcards to specify multiple sources
with a single expression (Example: sourcetype=access* ).
Example: Search for all events that are of the source type access log .

sourcetype=access_log

5 Copyright 2025 Splunk. All rights reserved.

 Use default fields

splunk_server
The splunk_server field contains the name of the Splunk server containing the event. Useful in a
distributed Splunk environment.
Example: Restrict a search to the main index on a server named remote .

splunk_server=remote index=main 404

timestamp
The timestamp field contains an event's timestamp value. You can configure the method that is
used to extract timestamps. You can use timestamp as a search command argument to filter
your search.
For example, you can add timestamp=none to your search to filter your search results to include
only events that have no recognizable timestamp value.
Example: Return the number of events in your data that have no recognizable timestamp.

timestamp=none | stats count(_raw) as count

Default datetime fields

You can use datetime fields to filter events during a search or as a field argument in data-processing
commands.
If you are located in a different timezone from the Splunk server, time-based searches use the
timestamp of the event as specified on the server where the event was indexed. The datetime values
are the literal values parsed from the event when it is indexed, regardless of its timezone. So, a string
such as 05:22:21 will be parsed into indexed fields:
date_hour::5 date_minute::22 date_second::21 .

6 Copyright 2025 Splunk. All rights reserved.

Use default fields

date_hour
The date_hour field contains the value of the hour in which an event occurred (range: 0-23). This
value is extracted from the event's timestamp (the value in _time ).
Example: Search for events with the string apache that occurred between 10pm and 12am on the
current day.

apache (date_hour >= 22 AND date_hour <= 24)

date_mday
The date_mday field contains the value of the day of the month on which an event occurred (range:
1-31). This value is extracted from the event's timestamp (the value in _time ).
Example: Search for events containing the string apache that occurred between the 1st and 15th
day of the current month.

apache (date_mday >= 1 AND date_mday <= 15)

date_minute
The date_minute field contains the value of the minute in which an event occurred (range: 0-59).
This value is extracted from the event's timestamp (the value in _time ).
Example: Search for events containing the string apache that occurred between the 15th and 20th
minute of the current hour.

apache (date_minute >= 15 AND date_minute <= 20)

date_month
The date_month field contains the value of the month in which an event occurred. This value is
extracted from the event's timestamp (the value in _time ).
Example: Search for events with the string apache that occurred in January.

7 Copyright 2025 Splunk. All rights reserved.

 Use default fields

apache date_month=1

date_second
The date_second field contains the value of the seconds portion of an event's timestamp (range:
0-59). This value is extracted from the event's timestamp (the value in _time ).
Example: Search for events containing the string apache that occurred between the 1st and 15th
second of the current minute.

apache (date_second >= 1 AND date_second <= 15)

date_wday
The date_wday field contains the day of the week on which an event occurred (Sunday, Monday,
etc.). The date is extracted from the event's timestamp (the value in _time ) and determines what
day of the week that date translates to. This day of the week value is then placed in the date_wday
field.
Example: Search for events containing the string apache that occurred on Sunday.

apache date_wday="sunday"

date_year
The date_year field contains the value of the year in which an event occurred. This value is
extracted from the event's timestamp (the value in _time ).
Example: Search for events containing the string apache that occurred in 2008.

apache date_year=2008

8 Copyright 2025 Splunk. All rights reserved.

Use default fields

date_zone
The date_zone field contains the value of time for the local timezone of an event, expressed as
hours in Unix Time. This value is extracted from the event's timestamp (the value in _time ). Use
date_zone to offset an event's timezone by specifying an offset in minutes (range: -720 to 720).
Example: Search for events containing the string apache that occurred in the current timezone
(local).

apache date_zone=local

9 Copyright 2025 Splunk. All rights reserved.