Meta-Data’s

The Meta-data is generally the first command of the search. As a best practice, we should include 4 fields always in the first line of the query.
This is not mandatory but adding them is always better from Splunk search perspective.

1) index: the repository of Splunk where your data resides.

2) host : this is the server name on which your logs are hosted.

3) sourcetype: A source type determines how the Splunk platform formats the data during the indexing process. A sourcetype describes a kind of data.

4) source : this is the exact log file on which you want to search.

5) _time : the timeframe for which you are searching the query.

Sample Query

index=main host=NLPCFR01 sourcetype=database_log source=C:\User\hp\db0211.log