Splunk® Enterprise

Search Tutorial

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Use fields to search

To take advantage of the advanced search features in the Splunk software, you must understand what fields are and how to use them.

What are fields?

Fields exist in machine data in many forms. Often, a field is a value with a fixed, delimited position on a line, or a name and value pair, where there is a single value to each field name. A field can be multivalued, that is, a field in a single event can have multiple values in a field.

  • Some examples of fields are clientip for IP addresses accessing your Web server, _time for the timestamp of an event, and host for domain name of a server.
  • One of the more common examples of multivalue fields is email address fields. While the From field will contain only a single email address, the To and Cc fields have one or more email addresses associated with them.

Fields are searchable name and value pairings that distinguish one event from another. Not all events have the same fields and field values. Use fields to write more tailored searches to retrieve the specific events that you want.

Extracted fields

The Splunk software extracts fields from event data at index time and at search time.

Index time
The time span from when the Splunk software receives new data to when the data is written to an index. During index time, the data is parsed into segments and events. Default fields and timestamps are extracted, and transforms are applied.
Search time
The period of time beginning when a search is launched and ending when the search finishes. During search time, certain types of event processing take place, such as search time field extraction, field aliasing, source type renaming, event type matching, and so on.

The default fields and other indexed fields are extracted for each event when your data is indexed.

Search with fields

When you search for fields, you use the syntax field_name=field_value.

  • Field names are case sensitive, but field values are not.
  • You can use wildcards in field values.
  • Quotation marks are required when the field values include spaces.

Let's try a search.

  1. Click Search in the App bar to start a new search. Notice that the time range is set back to the default Last 24 hours.
  2. To search the sourcetype field for any values that begin with access_, run the following search.

    sourcetype=access_*

    This search indicates that you want to retrieve only events from your web access logs and nothing else.

    This search uses a wildcard character in the field value, access_*, to match any Apache web access sourcetype. The source types can be access_common, access_combined, or access_combined_wcookie.

    This screen image shows the sourcetype fields highlighted in the search results.

  3. Scroll through the list of events in your search results.

If you are familiar with the access_combined format of Apache logs, you might recognize some of the information in each event, such as:

  • IP addresses for the users accessing the website.
  • URIs and URLs for the pages requested and referring pages.
  • HTTP status codes for each page request.
  • GET or POST page request methods.

The screen image shows red rectangles around some of the fields in the search results, including an IP address, a URL, an HTTP status code of 200, and a GET page request method.

These are events for the Buttercup Games online store, so you might recognize other information and keywords in the search results, such as Arcade, Simulation, productId, categoryId, purchase, addtocart, and so on.

To the left of the events list is the Fields sidebar. As events are retrieved that match your search, the Fields sidebar updates the Selected Fields and Interesting Fields lists. These are the fields that the Splunk software extracts from your data.

This screen image shows the Fields sidebar and the Events view. The host, source, and sourcetype are highlighted in the Fields sidebar and in the Events view.

When you first run a search the Selected Fields list contains the default fields host, source, and sourcetype. These default fields appear in every event.

Interesting Fields are fields that appear in at least 20% of the events.

Specify additional selected fields

You can designate other fields to appear in the Selected Fields list. When you add a field to the Selected Fields list, the field name and field value are included in the search results.

  1. To add fields to the Selected Fields list, click All Fields at the top of the Fields sidebar.

    The Select Fields dialog box shows a list of fields in your events. The # of Values column shows the number of unique values for each field in the events. Because your search criteria specifies the source type, the sourcetype field has just 1 value. This screen image shows the Select Fields dialog box. Below the title is a bar of filter options where you can select all, deselect all, or type your filter criteria. Below the filter options is a table that lists the fields. The first column is used to expand or collapse detailed information about a field. Another column specifies how many times a field appears in the search results. There is also a column that specifies the field type, for example String and Number.

    The list contains additional default fields, fields that are unique to the source type, and fields that are related to the Buttercup Games online store.
    • In addition to the three default fields that appear automatically in the list of Selected Fields, there are other default fields that are created when your data is indexed. For example, fields that are based on the event timestamp begin with date_*). The field that identifies data that contains punctuation is the punct field. The field that specifies the location of the data in your Splunk deployment is the index field.
    • Other field names apply to the web access logs that you are searching. For example, the clientip, method, and status fields. These are not default fields. They are extracted at search time.
    • Other extracted fields are related to the Buttercup Games online store. For example, the action and categoryId fields.
  2. Select the action, categoryId, and productId fields.
  3. Close the Select Fields dialog box.

The three fields that you selected appear under Selected Fields in the Fields sidebar. The selected fields also appear in the events in your search results, if those fields exist in that particular event. Every event might not have all of the selected fields, as shown in the following image.

This screen image shows the Fields sidebar and the Events view. The fields that you added to the Selected Fields are highlighted in the Fields sidebar. The Events that contain those new selected fields are also highlighted.

Identifying field values

The Fields sidebar displays the number of unique values for each field in the events. These are the same numbers that appear in the Select Fields dialog box.

  1. Under Selected Fields, notice the number 5 next to the action field.
  2. Click the action field.
    The field summary for the action field opens. This screen image shows the summary dialog box for the "action" field. The 5 values for the "action" field are: add to cart, purchase, view, remove, and change quantity.

    In this set of search results there are five values for action. The action field appears in over 50% of your search results.
  3. Close the action field summary window.
  4. Review the other two fields you added to the Selected fields. The categoryId field identifies the types of games or other products that are sold by the Buttercup Games online store. The productId field contains the catalog numbers for each product.
  5. Scroll through the events list.
  6. The i column contains event information. In the i column, click the arrow ( > ) next to an event to expand the event information.

This screen image shows that the Information column is the first column in the Event viewer area. The event information for the second event is expanded. Each of the fields in the event is listed in categories: selected, event, time, and default. Additionally, the expanded information shows that you can take actions on the event and on each field.

You can use this expanded panel to view all the fields in a particular event, and select or deselect individual fields for an individual event.

Run targeted searches

The following examples are searches that use fields.

Search for purchases

Search for successful purchases from the Buttercup Games store.

  1. Start a new search.
  2. In the time range picker, select Yesterday from the Presets list.
  3. Run the following search.

    sourcetype=access_* status=200 action=purchase

    This search uses the HTTP status field, status, to specify successful requests and the action field to search only for purchase events.

    You can also search for failed purchases in a similar manner using status!=200, which looks for all events where the HTTP status code is not equal to 200.

  4. Change the status portion of the search to status!=200 and run the search again.

    sourcetype=access_* status!=200 action=purchase

Search for errors

The way that errors are designed in events varies from source to source. To search for errors, your search must specify these different designations.

Use Boolean operators to specify different error criteria. Use parenthesis to group parts of your search string.

  1. Start a new search.
  2. Change the time range to All time.
  3. Run the following search.

    (error OR fail* OR severe) OR (status=404 OR status=500 OR status=503)

  4. Click on sourcetype in the Selected Fields list.
    This search does not specify a source type. The search retrieves events from both the secure log files and the web access log files.

Search for sales of a specific product

Search for how many simulation style games were bought yesterday.

  1. Change the time range to Yesterday.

    If you downloaded the tutorialdata.zip file more than one day ago, there are no events that have a timestamp for yesterday. Instead, change the time range picker to All time and run the previous search. In the search results, look at the dates. Use the Date Range option in the time range picker to specify one of the dates in your results.

  2. Run the following search.

    sourcetype=access_* status=200 action=purchase categoryId=simulation

    As you type the search, the Search Assistant shows you a list of your previous searches that start with "sourcetype". You can select the search that you ran earlier to search for successful purchases. Then add categoryId=simulation to the end of that search.

    The count of events returned are the number of simulation games purchased.

  3. Find the number of purchases for each type of product sold on the Buttercup Games online store.
    1. Remove categoryId=simulation from your search criteria and run the search again.
    2. Locate the unique categoryId values by clicking on the categoryId field in the Selected Fields list.
    3. Click on a categoryId name, such as ACCESSORIES. The categoryId is added to your search and the search is automatically run again. The results show the number of purchases for that product.
  4. For the number of purchases made each day of the previous week, run the search again for each time range.

Next step

You can use your knowledge about fields to take advantage of the Splunk search processing language to generate statistics and build charts.

Let's learn how to use the search language.

See also

In the Knowledge Manager Manual

About fields
Use default fields
When extracts fields
Last modified on 17 April, 2019
 

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters