Documentation > Splunk > Application Management > Explore the Search app

Application Management

 


Application Management with Splunk
Index Data
Application Management Use Cases
Walkthrough: Index Data
Walkthrough: Troubleshoot using ID and Time
Walkthrough: Group Events into Transactions
Walkthrough: Monitor Transaction Performance
Walkthrough: Create a Business Dashboard

Explore the Search app

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Explore the Search app

Before you start troubleshooting, take a minute to explore the Search app, Splunk's default interface for searching and analyzing data. (Do it now, before you have a real problem.) The Search app allows you to search data, refine your searches, access saved searches, and more. You also see additional information Splunk added to your data while indexing it. To see how events appear in the Search app:

1. Go to the Search app and type the following search string to retrieve all of the data in your test index:

index=test

2. Select Last 15 minutes from the "time range picker" directly to the right of the search box. Selecting a time range automatically runs the search for you.

AppManageSearch.png

The main window of the Search app includes the following:

Search bar: entry bar where you type a search; press Enter or Return to run the search.

Time range picker: menu where you select a time range for the search.

Timeline: histogram of the result count over time. If you are using real-time search, the timeline updates automatically. You can use the timeline to visualize what is happening to your data during an investigation. For example, a DoS attack might show up as a spike in time. Often, even if you don't see the problem initially, you can get to it by throwing out "noise" - successively modifying your search to add and exclude terms in order to focus on the data you know is important.

Events window (lower right): list of events that match the search. An event is an entry in a Splunk index; it usually corresponds to a single entry in a log file or other data input, enhanced with additional information such as fields that can help you make sense of the data and create intelligent searches. Events are displayed ordered by time.

Field menu (lower left): list of extracted fields. By default, three fields appear at the top - host, source, and sourcetype. These fields, along with _time, are extracted when Splunk indexes the data and are used in a fundamental way by Splunk.

The field menu also displays other fields Splunk has extracted from your data or that you have created. Since your web server logs used key-value pairs in the log files, Splunk automatically extracted those fields, such as callerID.

Note: In version 4.1 and higher, Splunk limits the automatic field display to the first 50 fields in your data. Fields extracted in other ways and fields mentioned explicitly in your search are always displayed.

For more about the Search app interface, see Add data and kick off your first search in the User manual.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1.4/AppManagement/ExploretheSearchapp"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!