Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Get started with Search

This manual discusses the Search & Reporting app and how to use the Splunk search processing language (SPL).

The Search app, the short name for the Search & Reporting app, is the primary way you navigate the data in your Splunk deployment. The Search app consists of a web-based interface (Splunk Web), a command line interface (CLI), and the Splunk SPL.

This image lists the categories of documentation: Getting Started, Search and Report, Administer, Deploy. and Develop.  Within each category are a list of the capabilities that are described in the documentation.

Start Here

If you are new to Splunk Search, the best way to get acquainted is to start with the Search Tutorial. The Search Tutorial introduces you to the Search and Reporting app and guides you through adding data, searching your data, and building simple reports and dashboards.

The Search Tutorial provides a great foundation for understanding Splunk Search.

Getting started in your own environment

After you complete the Search Tutorial, you should learn about the types of data you can explore, how Splunk software indexes data, and about Splunk knowledge objects.

Here are the resources to look at:

Learning the Search app effectively

And of course you need to learn how to use the Search app effectively, which is the focus of this manual. This manual contains detailed conceptual and how information to explain everything.

Basic Search app skills

Detailed Search information


For the catalog of search commands and arguments that make up the Splunk SPL, see the Search Reference.

If you are using Splunk Enterprise, distributed search provides a way to scale your deployment by separating the search management and presentation layer from the indexing and search retrieval layer. For an introduction to distributed search, see the Distributed Search Manual.

See also

Navigating Splunk Web
Using Splunk Search
  NEXT
Navigating Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.6.0, 6.6.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters