Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About the Search dashboard

In the previous chapter, you learned about the types of data Splunk Enterprise works with, downloaded the tutorial sample data, and added the data into your Splunk index. This section describes how to use the different elements that make up Splunk Search.

Find Splunk Search

1. From Splunk Home, click Search & Reporting under Apps.

6.2tutorial apps sr.png

This opens the Search & Reporting app's Search view.

Before you run a search, the Search view looks like this.

6.2tutorial search default.png


The App bar, which is below the Splunk bar, lets you navigate the different views in the Search & Reporting app.

Before you run a search

Before you run a search, the main parts of Search are the search bar, the time range picker, the How to search panel, and the What to search panel.

Search bar

Use the search bar to run your searches in Splunk Web. Type in your search string and hit enter or click the spyglass icon to the right of the time range picker.

Time range picker

Use the time range picker to retrieve events over a specific time period. For real-time searches you can specify a window over which to retrieve events. For historical searches, you can restrict your search by specifying a relative time range (15 minutes ago, Yesterday, and so on) or a specific date and time range. The time range picker has many preset time ranges that you can select from, but you can also enter a custom time range.

The time range picker is discussed in, "About the time range picker."

How to search

The "How to search" panel links you to the Search Tutorial and Search Manual to learn about how to write searches.

What to search

The "What to search" panel displays a summary of the data that is installed on this Splunk instance and that you are authorized to view. Click Data Summary to open the Data Summary dialog box.

Data summary

The Data Summary dialog box shows three tabs: Hosts, Sources, Sourcetypes.

The host of an event is the host name, IP address, or fully qualified domain name of the network machine from which the event originated.

6.2 datasummary hosts.png


The source of an event is the file or directory path, network port, or script from which the event originated.

6.2 datasummary sources.png


The source type of an event tells you what kind of data it is, usually based on how it is formatted. This classification lets you search for the same type of data across multiple sources and hosts.

6.2 datasummary sourcetypes.png


The source types for the tutorial data are:

  • access_combined_wcookie: Apache web server logs
  • secure: Secure server logs
  • vendor_sales: Global sales vendors

For information about how Splunk Enterprise source types your data, see "Why source types matter" in Getting Data In.

After you run a search

Type the following into the searchbar:

buttercupgames

The New Search page opens.

The search bar and time range picker are still available in this view, but the dashboard updates with many more elements: search action buttons and search mode selector; counts of events; job status bar; and tabs for Events, Statistics, and Visualizations.

6.2tutorial startsearching2.png

The next topics discuss each of these parts of the Search view.

Next steps

Continue reading to learn about restricting searches to a time range.

PREVIOUS
Get the tutorial data into Splunk Enterprise
  NEXT
About the time range picker

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters