| time |
object |
The timestamp of the event. When submitting via HEC, this is epoch time in seconds. When retrieved from search results, the format depends on the output mode. If omitted during ingestion, Splunk assig |
| _time |
string |
The indexed timestamp of the event as stored in Splunk. This is the canonical time field used in search results and is always present on indexed events. |
| _raw |
string |
The original raw text of the event as it was received by Splunk. This contains the complete, unmodified event data before field extraction. |
| event |
object |
The event payload when submitting via HTTP Event Collector. Can be a string for raw text events or a JSON object for structured events. This field is required when using the /services/collector/event |
| host |
string |
The hostname, IP address, or fully qualified domain name of the system that generated the event. This is a default metadata field that Splunk assigns during data ingestion. |
| source |
string |
The source of the event data, typically a file path, network port, or data input name. Identifies where the data originated from on the host. |
| sourcetype |
string |
The source type classifies the event data format and determines how Splunk parses and extracts fields. Splunk includes many built-in sourcetypes and custom ones can be defined. |
| index |
string |
The name of the Splunk index where the event is stored. Indexes are the primary data repositories in Splunk. |
| _indextime |
string |
The time at which the event was indexed by Splunk, as opposed to when the event occurred. Stored as epoch time. |
| _serial |
integer |
A sequence number assigned to the event within the search results. Used for ordering and pagination. |
| _cd |
string |
Internal Splunk field containing the bucket ID and offset for the event. Used for direct event access. |
| _bkt |
string |
The bucket ID where the event is stored within the index. Format is ~~. |
| _si |
array |
Server and index information as a two-element array containing the Splunk server name and the index name. |
| linecount |
integer |
The number of lines in the raw event text |
| splunk_server |
string |
The name of the Splunk server that indexed this event. Relevant in distributed search environments. |
| splunk_server_group |
string |
The server group of the Splunk server that indexed this event. Used in indexer clustering. |
| eventtype |
string |
The event type classification assigned by Splunk based on configured eventtype definitions. |
| tag |
array |
Tags associated with the event based on field values and tag configurations. |
| fields |
object |
Additional metadata fields to associate with the event during HEC ingestion. These are indexed as metadata and can be searched as indexed fields without being part of the raw event data. |