Search interactively with Splunk Web

Search interactively with Splunk Web

Both the raw results and timeline are interactive, so you can click to drill down to events of interest, focus on anomalies, or eliminate noise to find the needle in a haystack. Whether you're troubleshooting a customer problem or investigating a security alert, you'll get to the bottom of what happened in minutes rather than hours or days.

In this topic, you'll learn how to:

• Use search results to narrow your search.
• Use the fields picker to add search terms.
• Use the Search assistant to help construct your searches.
• Use the Show source window to view raw events.

Use search results to narrow your search

Anytime after you run a search, you can highlight and select segments from your search results to add, remove, and exclude those keywords quickly and interactively.

Add new terms to your search

Fields and terms that you include in your search string will appear highlighted in the list of search results. Certain segments (words or phrases) in your search results will highlight as you move your mouse over the list; this indicates that you can add these terms to your search. To add any one of these other segments into your search, click it. Your search updates and filters out all the previous results that don't match.

For example, while searching for Web access events that are errors:

Perhaps, you notice one particular host machine, alpha, appears more frequently than others. You decide to just focus on this host. Instead of typing host=alpha into your search bar, you highlight one occurrence of the field value and click.

Your search string automatically appends the new filter and your search results update to reflect the new search:

Remove existing terms from your search

Just as easily as you can add new search terms to your search, you can remove search terms. To do so, click on any of the highlighted segments in your list of search results.

For example, if you searched for Web access errors on a machine called alpha:

Then, as you scroll through your results, you decide that you want to see what other Web access activity has occurred on alpha. To do this quickly and without having to edit your search string, you click on one highlighted occurrence of the term "errors" in your results. Your search string and results automatically update to match:

Exclude terms from your search

As you scroll through the list of your search results, you may also notice events that are of no interest to you in your current investigation. To eliminate this noise without manually typing anything into your search bar, use alt-click (for Windows, use ctrl-click). Splunk updates your search to exclude the term you selected.

For example, if you searched for all Web access errors:

Then, you decide that you don't want to see any events from alpha; alt-click (or ctrl-click) on the host value in your results. Your search bar updates to read:

All events from alpha are removed from your list of search results.

Add search terms from available fields

Splunk automatically extracts fields from your data when you add it to your index. After you run a search, you'll notice that only three of these default fields display in your event data: host, sourcetype, and source. You can view all the other fields that Splunk identified (if they exist in these search results) and select to make them visible in your event data as well.

In the Search view, the field sidebar is on the left and underneath the Timeline. After you run a search, this sidebar contains the list of fields that are visible in your search results.

Click "Pick fields" underneath the Timeline, to open the Fields popup window. In the Fields window, you can view all the fields that are available in your search results. Select fields from this list to make visible in your search results.

To hide fields (that are already visible), you can click on them in the "Available Fields" list or the "Selected Fields" list. Click "Save" and you'll see your changes applied to the event data in your search results.

Use Search assistant to help construct your searches

Search assistant is a quick reference for users who are constructing searches. By default, search assistant is active; whenever you type terms into the search bar, it will give you typeahead information. When you type in search commands, it will give you descriptions and examples of usage for the command. You can access the search assistant within Splunk Web; click the green down-arrow under the search bar.

The default view displays a short description, some examples, common usage, and common next command. If the search bar is empty (there is no search command in it), Search assistant displays information for the search command.

You can also see lists of common usage and common next commands and expand the lists by clicking the more links next to the headers. When you click on any item in the lists, Splunk appends it to your search.

To see more information, click the more >> link at the end of the short description. This detailed view contains a longer description, command syntax, and related commands (if they are relevant). To return to the default view, click << less.

Note: You can use the search assistant to quickly access the search command documentation; just click the help link next to the search command. This opens the search command's reference page in a new browser tab.

Use show source to view the raw event

After you run a search, you may want to view a particular result's raw format. To do this, click on the dropdown arrow at the left of the search result and select "Show Source". The Show source window opens and displays the raw data for the event you selected and some surrounding events.

You can also use the Show source window to view the validity of your indexed data. When you open Show source, the event that you selected to view is highlighted in yellow. Events highlighted in pink contain gaps in the data. Events highlighted in red may have been tampered with and are not valid. For example, if your data was tampered with, it may be indexed out of order and thus contain gaps.

• Was this topic useful?
• Post a comment