Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About capturing knowledge

Once you master the basics of freeform search as described in the "Search and Investigate" chapter, you'll want to take things to a higher level of precision, because the raw data you get from those searches won't always get you to the answers you need.

Leverage Splunk's ability to marry the flexibility of unstructured search with the power of working with structured data. Add knowledge about the events, fields, transactions, and patterns in your data. Discover similar events and group them together with a collective name (an "event type") so you can search on them like you do any other field. Identify transactions that are associated with clusters of events and track them. Group related fields together with tags and aliases. Interactively extract new fields based on event data or external information (such as lookup tables) and add them to your searches.

In this chapter you will:

PREVIOUS
Add sparklines to your search results
  NEXT
Use default fields

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters