Skip to main content

Splunk Glossary

Splunk makes up its own language. In exploring the service, you will regularly come across these terms. For more definitions, the complete list is available on Splunk.

 

Alert

Notify when certain search actions are met. An alert can be sent to designated email addresses, running a script, or posted to your feed.

Example: When a certain name.# or IP has a certain number of failed logins, then email the security team.

 

App

A collection of configurations, dashboards, charts, maps, timelines, etc...

Example: AWS app, Office 365 app.

 

Dashboard

A page or panel displaying search results as a table and/or visualizations in an easy to share location.

Example: Graphs of failed logins for the Office 365 apps.

 

Event

A single data point in Splunk that maps to a single log entry.

Example: One event at one time.

 

Field

A reoccurring name and value pair in logs. We can search for a field and identify the associated values.

Example: User id = name.#. Process = failed or success. User id and Process are the field names. Name.#, failed, and success are the values associated to their field.

 

Forwarder

Consumes data from the host(s) then forwards it to the indexer.

Example: syslog-ng.

 

Host

Name of the physical device from which the event originates (i.e. hostname, IP address, or fully qualified domain name)

Example: ComputerName, CiscoSwitch1, CiscoSwitch2.

 

Index

Processes incoming data then transforms the data into events, stores events, then makes the data searchable. Ohio State bases index on common groups of data or units.

Example: unit_it_database

 

_indextime

Represented as _indextime. When Splunk ingested the data, NOT the time the events were recorded. See Troubleshooting.

Example: The index processes the data 5 minutes after the host logged the event.

 

Report

A search that you would regularly like to run or share.

Example: Every week, send a role the list of top 10 failed logins.

 

Role

Permissions and capabilities of a group of users.

Example: unit-database-access, unit-networking-access. Add users to the role then add apps to the role.

 

Source

Directory, file name, file path of the monitored data.

Example: /var/log/syslog.

 

Sourcetype

Classification of the monitored data. Usually the service/software it's associated with.

Example: docker_json, cisco_syslog

 

_time

Represented as _time. When the host records the event, NOT when Splunk ingests the data. See Troubleshooting.

Example: The host logged the event 5 minutes before the indexer.