Splunk Storm User Manual

 


Change the time range

Change the time range

This topic assumes that you're familiar with running ad hoc searches and using the timeline. If you're not sure, review the previous topics on searching and using the timeline.

This topic shows you how to narrow the scope of your investigative searching over any past time range. If you have some knowledge about when an event occurred, use it to target your search to that time period for faster results.

It's your second day of work with the Customer Support team for the online Flower & Gift shop. You just got to your desk. Before you make yourself a cappuccino, you decide to run a quick search to see if there were any recent issues you should be aware of.

1. Return to the Search dashboard and type in the following search over all time:

error OR failed OR severe OR (sourcetype=access_* (404 OR 500 OR 503))
This search uses parentheses to group together expressions for more complicated searches. When evaluating Boolean expressions, Storm performs the operations within the innermost parentheses first, followed by the next pair out. When all operations within parentheses are completed, Storm evaluates OR clauses, then, AND or NOT clauses.

Also, this search uses the wildcarded shortcut, "access_*", to match the Web access logs. If you have different source types for your Apache server logs, such as access_common and access_combined, this will match them all.

This searches for general errors in your event data over the course of the last week. Instead of matching just one type of log, this searches across all the logs in your index. It matches any occurrence of the words "error", "failed", or "severe" in your event data. Additionally, if the log is a Web access log, it looks for HTTP error codes, "404", "500", or "503".


Storm tutorial timerange.png


This search returns a significant amount of errors. You're not interested in knowing what happened over All time, even if it's just the course of a week. You just got into work, so you want to know about more recent activity, such as overnight or the last hour. But, because of the limitations of this dataset, let's look at yesterday's errors.

2. Drop down the time range picker and change the time range to Other > Yesterday.


Storm tutorial timerange1.png


By default, Storm searches across all of your data; that is, the default time range for a search is across "All time". If you have a lot of data, searching on this time range when you're investigating an event that occurred 15 minutes ago, last night, or the previous week just means that Storm will take a long time to retrieve the results that you want to see.


3. Selecting a time range from this list automatically runs the search for you. If it doesn't, just hit Enter.


Storm tutorial timerange2.png


This search returns events for general errors across all your logs, not just Web access logs. (If your sample data file is more than a day old, you can still get these results by selecting Custom time and entering the last date for which you have data.) Scroll through the search results. There are more mySQL database errors and some 404 errors. You ask the intern to get you a cup of coffee while you contact the Web team about the 404 errors and the IT Operations team about the recurring server errors.


Storm also provides options for users to select to search a continuous stream of incoming events:
  • Real-time enables searching forward in time against a continuous stream of live incoming event data. Because the sample data is a one-time upload, running a real-time search will not give us any results right now. We will explore this option later.
  • Read more about real-time searches and how to run them in "Search and report in real-time" in the Splunk Enterprise documentation. Note that any references in the Splunk Enterprise documentation to the CLI and configuration files are not relevant for Splunk Storm.

For more information about your time range options, see "Select time ranges to apply to your search" in the Splunk Enterprise documentation.


Up to now, you've run simple searches that matched the raw text in your events. You've only scratched the surface of what you can do in Storm. When you're ready to proceed, go on to the next topic to learn about fields and how to search with fields.

This documentation applies to the following versions of Storm: Storm View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!