Introduction to Splunk
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Introduction to Splunk
See a few simple searches in action.
Requirements
- A supported browser (See system requirements and release notes).
- A copy of Splunk:
- On an individual machine, or elsewhere in the organization. (Download and install.)
- On Splunk hosted demo servers.
Log in
Splunk does not require a login when using a Free license. An Enterprise license requires a login:
- For an individual server, the default Splunk username is admin and password is changeme.
- For the Splunk hosted demo server, the username and password are guest and guest.
Index data
Splunk comes with pre-indexed sample data. For help indexing your own data, see the data inputs section of the Admin Manual.
Simple searches
To start, enter your search in the search box at the top of the page.
Important: Throughout this tutorial sample data will be used (in an index called "sampledata"). This index can be searched instead of the main index by including "index::sampledata" in the search criteria.
Start by searching for all the data in the sampledata index. Type the following into the search box.
index::sampledata
The results include a timeline that shows exactly when matching results occurred. If there are no results, change the time range from last 24 hours to last 7 days.
Now, try this simple search:
index::sampledata http 500
This shows HTTP requests resulting in an internal server error. Notice that there's a typeahead list to help guide you.
Searches are typically case-insensitive. Exceptions are noted through this tutorial
Click on results
Click on results to add or remove search terms. For example, click on "500" in one of the search results. Splunk highlights and updates the search to remove "500" as a term -- so now your search results include all http events. This works both ways. Click on "500" again to add it back to the search string.
Scroll through results
Search for:
index::sampledata http
Scroll through the results list. Splunk displays more and more results. The red line in the timeline indicates where you are in time.
Narrow results
Narrow your search results by refining your search. Here are a few tips.
- Alt-click on "200" in any search result (option-click for Mac, shift-click for some popular *nix windows managers).
Your search has now been updated with "NOT 200". Splunk supports other Boolean operators too.
Follow a relationship
- Ctrl-click on an IP address (cmd-click on a Mac).
- Check "wrap results" to turn on line-wrapping for the long single line events that result from searches.
Your search has been replaced with the IP address. This is an effective way to follow relationships between events.
Chang the time range
If you are using the sample data with the out of the box settings, the timeline shows a cluster of events in a single hour over the last 24 hours.
Click on the bar in the timeline showing the cluster of data, then click Zoom in. Any bar in the timeline can also be clicked to zoom in.
Zoom in until there is a narrow enough time range to see only a few bars of data.
Shift-click or drag your mouse across all of the bars and zoom in further.
The timeline should now span several minutes, with one bar equal to one second.
You can also change the time range by using the drop-down located near the upper left of the graph area.
Choose custom to specify a start and end time.
Note: Your Splunk instance will perform faster if you narrow the time range of your search. Searching over all time may result in slow search performance.
Boolean searches
Enter the search:
> index::sampledata http AND 500
Your results will be the same as the previous example search. Splunk implicitly inserts an AND between terms, similar to Google and other search engines. Splunk supports the booleans: AND, OR, and NOT (must be capitalized).
Note: There should be three results. If your search produces no results, the time range may still be set from the previous example search. Zoom out, clear the time range or reset it using the time range drop-down menu.
index::sampledata http NOT 500
All http requests that do not contain error code 500 (internal server error).
index::sampledata http NOT (500 OR 503)
All http requests that do not contain error code 500 or 503 (service unavailable).
Splunk is able to group Boolean expressions using parentheses.
Save a search
To save any search, click on the down arrow to the left of the search box and select Save search... from the menu.
File:Search 101-Picture 10.png
Once you save a search, reuse it by typing savedsearch::nameyougaveyoursearch into the search box, or select it from the Saved searches menu next to the search box. Search names are case-sensitive.
File:Search 101-Picture 11.png
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.