Basic Tutorial
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Basic Tutorial
Demo Server
You can practice Splunking real IT data on our demo servers:
- prodemo.splunk.com - Splunk Professional
- Username guest
- Password guest
- email.demo.splunk.com - Splunk Professional with sendmail events indexed
- Username guest
- Password guest
- interop.demo.splunk.com - Splunk Professional with Interop Las Vegas 2006
- Username guest
- Password guest
To take this tutorial, login to prodemo.splunk.com and type along with the examples below.
The Splunk Box
At the top of the Splunk interface is a text entry box, the Splunk box. Use it the same way you do a Web search engine: Start with a simple keyword or two, then refine your search terms to find the information you seek.
Try these examples on prodemo:
- http 500
- http NOT 500
- http 500 hosttag::appserver
- http 500 hosttag::webserver
- http 500 (hosttag::appserver OR hosttag::webserver)
- sourcetype::websphere_activity
- http NOT (200 OR 500) NOT sourcetype::websphere_*
Typing more than one keyword performs a logical AND search for both terms. Putting a NOT between terms filters the second one from search results, just like piping Unix output through grep -v.
You can use shortcuts to quickly refine your search.
Control-click on a term in the search result will add the term to the search. (Use command-click on a mac).
Control-alt-click will exclude the term from the search. (Use cmd-option-click on a mac).
Search Results
Search for "http" on prodemo.splunk.com and look at the results page. You'll see that each search result represents an individual log file event, and contains these fields:
- Event data - The actual logged data, sometimes cleaned up for easier reading.
- Event type - A numeric value that identifies the specific pattern of data in the event. Event types either have a question mark and a serial number, for example ?14, or they have a value such as SP-CAAABHH that the server obtained by looking up the event type in Splunk Base, our global repository of event types. See the Splunk Base commands below.
- Tags (optional) - Event types may have one or more text tags such as "failure" following the event type value. Tags are created either locally by admins, or globally by sharing them on Splunk Base. They add human understanding about the event type to the machine-generated data in the event.
- Similar - A link to event types with data patterns similar to those of the clicked event.
- Related - A link to events that contain matching values such as "192.168.1.1" that imply a relationship to the clicked event.
- Source type - A name that identifies the pattern of event types in all data loaded from the same file, network port, or other input. Source types are automatically assigned by Splunk, or customized locally by an admin.
- Host - The hostname or IP address of the host that originally generated the event.
- Tags (optional) - Hosts may have one or more text tags such as "production" following the host value. Tags are created either locally by admins, or globally by sharing them on Splunk Base. They add human understanding about the host to the machine-generated data in the event.
- Source - The name of the file, network port, or other input from which the event was indexed.
- Show source - A link to the event in its original context within the file or data stream from which it was indexed.
- Splunk Base options - Links that perform actions on the Splunk Base global respository at splunk.com/base
- Look up event - A link that uploads the event type's signature data pattern (but not the private data in the event itself) to Splunk Base and searches for a matching event type in Splunk Base's repository.
- Share event - A link that uploads the event data itself to Splunk Base as an example of its unique event type. You can optionally anonymize individual fields within the event before transmitting it, to protect private information.
Tabs
Splunk's results page has five tabs that present alternate views of your search results grouped by Events , Event Types , Source Types , Hosts, Sources and sometimes Servers. Click through the tabs to see how each view presents the same information summarized in different ways.
![[1]](http://www.splunk.com/themes/splunk_com/includes/splunk_docs/images/user/searchResultHTTP.png){kind=link}
Typeahead
As you type into the Splunk box, you'll see a drop-down list of typeahead options. Each entry lists a possible completion for your search, plus the number of matches for it. Typeahead includes both events in the index and meta data such as source::/home/demo/trade6/db2diag.log .
Try the up and down arrows, Tab key, and Enter key to select typeahead entries.
Timerange Selector
Click the clock icon to the left of the Splunk box to pop open an interactive widget for setting start and end times for your search. You can use your keyboard, arrow keys or your mouse to adjust time values. Click the calendar icon to pop up a widget for browsing dates.
Events by Time
The Events by Time chart is a plot of the events in your Splunk results mapped by their timestamps. The chart is interactive. Mouse over each bar to see more details on that time slice. Click the magnifying glass icons to zoom in and out.. Click on one time bar to narrow your Splunk to that time range. Shift-click on another to extend the time range further.
Saved Splunks
A Saved Splunk is a bookmarked search you can run again to get the latest results.
Create a Saved Splunk
To create a Saved Splunk, browse to the menu option Splunks -> Save.
![[2]](http://www.splunk.com/themes/splunk_com/includes/splunk_docs/images/user/splunkSave.png){kind=link}
Run a Saved Splunk
To run a Saved Splunk, choose it from the Splunks -> Saved Splunks menu, or type savedsplunk::stmperrors into the Splunk box to run the Saved Splunk named smtperrors.
Special commands
Search for all events
Type meta::all into the Splunk box, or choose the menu option Splunks -> Saved Splunks -> all.
Cancel a search
Hit the Esc key on your keyboard to terminate a search you don't want to wait for.
Reset the web interface
Click the Splunk logo in the upper left of the interface to return to the server's home page and start over.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.