Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Types of searches

As you search, you will begin to recognize patterns and identify more information that can be useful as searchable fields. You can configure Splunk software to recognize these new fields as you index new data, or you can create new fields as you search. Whatever you learn, you can use, add, and edit this knowledge about fields, events, and transactions to your event data. This capturing of knowledge helps you to construct more efficient searches and build more detailed reports.

Before delving into the language and syntax of search, you should ask what you are trying to accomplish. Generally, after getting data into your Splunk deployment, you want to:

  • Investigate to learn more about the data you just indexed or to find the root cause of an issue.
  • Summarize your search results into a report, whether tabular or other visualization format.


Because of this, you might hear us refer to two types of searches: Raw event searches and transforming searches.

Raw event searches

Raw event searches are searches that just retrieve events from an index or indexes, and are typically used when you want to analyze a problem. Some examples of these searches include: checking error codes, correlating events, investigating security issues, and analyzing failures. These searches do not usually include search commands (except search, itself), and the results are typically a list of raw events.

Transforming searches

Transforming searches are searches that perform some type of statistical calculation against a set of results. These are searches where you first retrieve events from an index and then pass the events into one or more search commands. These searches will always require fields and at least one of a set of statistical commands. Some examples include: getting a daily count of error events, counting the number of times a specific user has logged in, or calculating the 95th percentile of field values.

Information density

Whether you are retrieving raw events or building a report, you should also consider whether you are running a search for sparse or dense information:

  • Sparse searches are searches that look for a single event or an event that occurs infrequently within a large set of data. You have probably heard these referred to as 'needle in a haystack' or "rare term" searches. Some examples of these searches include: searching for a specific and unique IP address or error code.
  • Dense searches are searches that scan through and report on many events. Some examples of these searches include: counting the number of errors that occurred or finding all events from a specific host.


See How search types affect Splunk Enterprise performance in the Capacity Planning Manual.

PREVIOUS
About the search language
  NEXT
Types of commands

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters