How search works
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
How search works
Splunk includes a powerful search language for crafting simple to sophisticated searches. To learn more about Splunk's search syntax, see the User Manual search reference section. This section describes how to administer searches, including various configuration options for saved searches.
Saved searches
Once you have set up a search, you can save it for reuse as a saved search. Splunk ships with a few pre-configured saved searches. These are listed on the bottom of the landing page in Splunk Web.
Splunk administrators can create saved searches to distribute to all their Splunk users. Learn more about creating saved searches, either via Splunk Web or via savedsearches.conf.
Saving searches allows for knowledge capture and sharing. You can share any saved search or save it as private. Shared and personally owned private saved searches appear by default on the bottom of the user's landing page.
Form search and Macro search
Form searches and macro searches are wrappers for saved searches. They work just like saved searches, but take variables at search time. So you can set up a search for others to use. They won't have to see the search at all -- they simply input the variable(s) they're interested in finding.
- Macro searches are saved searches with variables. Fill in the variables at search time.
- Form searches work just like macro searches, but include an additional interface for searching.
Alerting
Set any saved search to run on a specific schedule, trigger alerts, send emails or RSS feeds. Read more about alerts here
Live tail
Use Live tail to watch data streaming into Splunk. Live tail works just like tail -f in *nix systems. Learn more about live tail.
Summary indexing
Summary indexing provides support for greater efficiency when running reports on large datasets over large time spans. Summary indexing saves the results of a scheduled search into a special summary index that you designate. You can then search and run reports on this smaller, restricted index instead of working with the much larger original data set.
Use summary indexing to:
- Aggregate results.
- Generate statistics.
- Index rare original events into a smaller index for more efficient reporting.
For example, you may want to run a report at the end of every month that tells you how many page views and visitors each of your Web sites had, broken out by site. If you just run this report at the end of the month, it could take a very long time to run because Splunk has to look through a great deal of data to extract the information you want. However, if you use summary indexing, you schedule a saved search that runs periodically over smaller slices of time and Splunk saves the results (since the last time the report was run) into a special (summary) index. You can then run an "end of the month" report on the data indexed in this much smaller index.
Or, you may want to run a report that shows a running count of a statistic over a long period of time. For example, you may want a running count of downloads of a file from a Web site you manage. Schedule a saved search to return the total number of downloads over a specified slice of time. Use summary indexing to have Splunk save the results into a summary index. You can then run a report any time you want on the data in the summary index to obtain the latest count of the total number of downloads.
Learn more about Summary indexing.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.