Splunk search

Splunk search

Searching in Splunk is easy - type any term you'd expect to find in your data into the search box and hit Enter. A Splunk search lets you search indexed data in real-time, extract data from search results, and produce meaningful reports from the data you put into Splunk. For example, to search for all events containing a given IP address, type it into the box. Try it with usernames, error codes, transaction IDs, or whatever else you are looking for.

See the Search syntax page to learn about Splunk search syntax.

A search is pipeline of commands (similar to a Unix "|" pipeline) that starts with a command that gathers data (typically a search on data in a Splunk index), followed by data-processing commands that operate on the data to yield search results.

See the Search pipeline syntax page for details about the syntax of the search pipeline.

You can also watch this Splunk developer video about searching with Splunk.

Generate search results

Generate search results by using a data-generating command. Generate search results by using:

• search to get new search results from a Splunk index.
• savedsearch to execute a saved search.
• file to import previously gathered search results directly from a file.
• crawl to search your filesystem for new data sources to add to your index (returns them as search results).

Construct searches

Use the search command to construct simple keyword searches on data in your Splunk index (just like a Google search). Narrow your keyword searches with modifiers, fields, Boolean operators, and logical comparison operators.

You can also construct more powerful searches by using additional commands to extract data, perform statistical operations, and build reports. Learn about the search commands in the search command reference.

As you construct your search, Splunk's typeahead functionality will prompt you with predictive text based on the commands you are using and the contents of your data.

Note: Wildcards (*) are not supported. You can simply type and wait for the predictive text to complete your term.

When generating data

To get more results:

• Increase the time range (search over all time to get the most number of results).
• Use wildcards and partial keywords instead of exact keywords.

If you want a faster search:

• Narrow the time range of your search.
• Reduce the number of fields that are extracted by un-selecting fields in the Fields picker menu.
• Reduce the segmentation by selecting inner, outer, or raw in the Preferences menu (reducing segmentation makes extracting and reporting more difficult).

When narrowing your search

• Filter results by event type if possible.
• Use the source and sourcetype fields to narrow a search to only a specified source.
• Use a combination of logical and Boolean expressions of keywords, modifiers, and fields.

Types of search

Macro and form searches

Macro searches are saved searches that substitute macro variables for field values. This lets you save a search and reuse it later to search different fields. Form searches are an extension of macro search; when you run the saved form search, the macro variables appear as form fields such as text boxes or drop-down menus. Macro and form searches assume you know the indexed and extracted fields in your event data.

Transaction searches

A transaction is a sequence of related events that needs to occur to complete an action. For example, the conditions for a purchase may be a sequence of events within a limited timeframe that include a login, a purchase, and a logout. A Splunk administrator can define the sequence of events in a configuration file and use it to search for the specific transaction. Read more about Transactions.

Dispatched searches

A dispatched search is a search that you set to run in the background. You can use the dispatch command to run searches that exceed the maximum result limit (50K) and send it to the background while you continue running other searches. Currently, you can only run a dispatched search in the CLI. Read more about asynchronous searches.

CLI searches

Run searches in the CLI with the search CLI command. Searches in the CLI work the same way as searches in Splunk Web except there is no timeline rendered with the search results, and a time range isn't specified by default. Search for anything by including your search as the 'search string' argument of a CLI search command. Learn more about CLI searching.

Live tail

Live tail allows you to see data as its being indexed into Splunk in real-time (similar to Unix's tail -f command). Live tail allows you to execute a simple search in its stand-alone window, and monitor events that match the search. Find out more about live tail.

Save and schedule searches

After you save a search, you can set your searches to run regularly and schedule alert conditions. Read more about Save, schedule, and alert options.

Tune search performance

Splunk's searches are optimized for text-based searching of raw event data. Search speed is dependent on how your Splunk install is configured.

If you are searching for a term that occurs frequently in your data (or just for for *), you should expect results in 1-5 seconds. If Splunk doesn't return a full timeline, with all events rendered within 15-20 seconds, your index(es) or system configuration might be unhealthy. A good starting point is to read Understanding Buckets on the Splunk Wiki. If you're experiencing poor search performance and are unsure why, contact Splunk support.

You can improve the speed of your searches by editing configuration files, and by downloading various applications from SplunkBase. Read more about tuning search performance.

• Was this topic useful?
• Post a comment