Events viewer

Finally, we make it to the actual events. Let's examine a single event:

Starting from the left, we have:

• Event Details: Clicking here (indicated by the right facing arrow) opens the selected event, provides specific information about the event by type, field, and value, and allows you the ability to perform specific actions on a particular event field. In addition, Splunk offers a button labeled Event Actions to access workflow actions, a few of which are always available.
• Build Event Type: Event types are a way to name events that match a certain query. We will dive into event types in Chapter 7, Extending Search.
• Extract Fields: This launches an interface for creating custom field extractions. We will cover field extraction in Chapter 3, Tables, Charts, and Fields.
• Show Source: This pops up a window with a simulated view of the original source.
• The event number: Raw search results are always returned in the order most recent first.
• Next appear any workflow actions that have been configured. Workflow actions let you create new searches or links to other sites, using data from an event. We will discuss workflow actions in Chapter 7, Extending Search.
• Next comes the parsed date from this event, displayed in the time zone selected by the user. This is an important and often confusing distinction. In most installations, everything is in one time zone—the servers, the user, and the events. When one of these three things is not in the same time zone as the others, things can get confusing. We will discuss time in great detail in Chapter 2, Understanding Search.
• Next, we see the raw event itself. This is what Splunk saw as an event. With no help, Splunk can do a good job finding the date and breaking lines appropriately; but as we will see later, with a little help, event parsing can be more reliable and more efficient.
• Below the event are the fields that were selected in the field picker. Clicking on the value adds the field value to the search.