Web search interface
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Web search interface
Nearly everything in Splunk's interface is clickable, especially inside your search results. Try clicking around the search and results pages on prodemo.splunk.com to see where it takes you. Don't worry, there's no way to accidentally delete, modify or corrupt our demo data by playing with it.
Mouse Clicks
You can perform these click actions on any part of an event in your search results - segments, meta data such as sourcetype::syslog , and links such as Similar.
- Search for term: click
- Restrict the current search further by the clicked term: Ctrl-click (On Macs, cmd-click)
- Remove term from current search: Ctrl-click it again (On Macs, cmd-click)
- Search for negative term (e.g. NOT apache): Alt-click (On Macs, option-click)
- Add negative term (e.g. NOT apache) to search: Ctrl-alt-click (On Macs, cmd-option-click)
Ctrl-Alt-click
The fastest way to find obscure events is to start with a simple, broad search and then remove terms that don't match using Ctrl-Alt-click. (On Macs, cmd-option-click.) It's just like adding grep -v pipes onto the end of a Unix grep command. As you filter out more and more event types, hosts, source types, or terms inside the events, the hard-to-find events you're looking for will emerge.
Segment Selection
Roll your cursor over the different parts of an event in your search results. You'll see individual segments - character strings treated as single entities in the index - highlight as you pass over them. Matching segments in other events will also highlight. If you click a segment, it will submit a new search.
You can change Splunk's handling of segment selection with the menu option Preferences -> Segment Selection above the Splunk box. There are five settings, described below.
Full
Splunk's default configuration treats segments separated by periods and other punctuation as minor segments and those separated by spaces as major segments. If you search for a term that appears as a minor segment, it will be highlighted on your results page. But when you roll over it to click it, the entire major segment it belongs to will highlight.
One example is worth a thousand words: Search for com and then roll your mouse over any Web domain names that appear in your results. See how you can add or remove whole domains from your search with one click. It's faster than typing into the box again and again, yet you can still do so whenever you prefer to.
To select multiple consecutive segments in an event, such as the hour and minute in a timestamp ( 17:30 :01) or the subnet section of an IP address ( 18.7 .1.151), place your mouse at the leftmost segment and mouse over the subsequent segments to the right. Each segement will highlight in yellow as you pass over it. To select the entire major segment, i.e. the entire address or timestamp, place your mouse at the rightmost end instead.
Outer
This setting forces Splunk to always highlight the longest possible segment, such as a complete email address. It's equivalent to mousing from the rightmost end in Full mode.
Inner
This setting forces Splunk to always highlight the shortest possible segment, such as .com in an email address. It's equivalent to mousing from the leftmost end in Full mode.
Raw
In this mode, Splunk does no segment selection. Clicking on an IP address will do nothing.
Full with Pyramids
Same as Full , but Splunk will draw grouping boxes around segments. The result looks like a topological map, with segments stacked in pyramid-like formations to show how they are grouped.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.