Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Search interactively with Splunk Web

Both the raw results and timeline are interactive, so you can click to drill down to events of interest, focus on anomalies, or eliminate noise to find the needle in a haystack. Whether you're troubleshooting a customer problem or investigating a security alert, you'll get to the bottom of what happened in minutes rather than hours or days.

In this topic, you'll learn how to:

  • Use search results to narrow your search.
  • Use the fields picker to add search terms.
  • Use the Search assistant to help construct your searches.
  • Use the Show source window to view raw events.

Use search results to narrow your search

Anytime after you run a search, you can highlight and select segments from your search results to add, remove, and exclude those keywords quickly and interactively.

Add new terms to your search

Fields and terms that you include in your search string will appear highlighted in the list of search results. Certain segments (words or phrases) in your search results will highlight as you move your mouse over the list; this indicates that you can add these terms to your search. To add any one of these other segments into your search, click it. Your search updates and filters out all the previous results that don't match.

For example, while searching for Web access events that are errors:

eventtype=webaccess errors

Perhaps, you notice one particular host machine, alpha, appears more frequently than others. You decide to just focus on this host. Instead of typing host=alpha into your search bar, you highlight one occurrence of the field value and click.

Your search string automatically appends the new filter and your search results update to reflect the new search:

eventtype=webaccess errors host=alpha

Remove existing terms from your search

Just as easily as you can add new search terms to your search, you can remove search terms. To do so, click on any of the highlighted segments in your list of search results.

For example, if you searched for Web access errors on a machine called alpha:

eventtype=webaccess errors host=alpha

Then, as you scroll through your results, you decide that you want to see what other Web access activity has occurred on alpha. To do this quickly and without having to edit your search string, you click on one highlighted occurrence of the term "errors" in your results. Your search string and results automatically update to match:

eventtype=webaccess host=alpha

Exclude terms from your search

As you scroll through the list of your search results, you may also notice events that are of no interest to you in your current investigation. To eliminate this noise without manually typing anything into your search bar, use alt-click (for Windows, use ctrl-click). Splunk updates your search to exclude the term you selected.

For example, if you searched for all Web access errors:

eventtype=webaccess errors

Then, you decide that you don't want to see any events from alpha; alt-click (or ctrl-click) on the host value in your results. Your search bar updates to read:

eventtype=webaccess errors NOT host=alpha

All events from alpha are removed from your list of search results.

Add search terms from available fields

Splunk automatically extracts fields from your data when you add it to your index. After you run a search, you'll notice that only three of these default fields display in your event data: host, sourcetype, and source. You can view all the other fields that Splunk identified (if they exist in these search results) and select to make them visible in your event data as well.

In the Search view, the field sidebar is on the left and underneath the Timeline. After you run a search, this sidebar contains the list of fields that are visible in your search results.

Click "Pick fields" underneath the Timeline, to open the Fields popup window. In the Fields window, you can view all the fields that are available in your search results. Select fields from this list to make visible in your search results.

To hide fields (that are already visible), you can click on them in the "Available Fields" list or the "Selected Fields" list. Click "Save" and you'll see your changes applied to the event data in your search results.

Use Search assistant to help construct your searches

Search assistant is a quick reference for users who are constructing searches. By default, search assistant is active; whenever you type terms into the search bar, it will give you typeahead information. When you type in search commands, it will give you descriptions and examples of usage for the command. You can access the search assistant within Splunk Web; click the green down-arrow under the search bar.

The default view displays a short description, some examples, common usage, and common next command. If the search bar is empty (there is no search command in it), Search assistant displays information for the search command.

You can also see lists of common usage and common next commands and expand the lists by clicking the more links next to the headers. When you click on any item in the lists, Splunk appends it to your search.

To see more information, click the more >> link at the end of the short description. This detailed view contains a longer description, command syntax, and related commands (if they are relevant). To return to the default view, click << less.

Note: You can use the search assistant to quickly access the search command documentation; just click the help link next to the search command. This opens the search command's reference page in a new browser tab.

Use show source to view the raw event

After you run a search, you may want to view a particular result's raw format. To do this, click on the dropdown arrow at the left of the search result and select "Show Source". The Show source window opens and displays the raw data for the event you selected and some surrounding events.

You can also use the Show source window to view the validity of your indexed data. When you open Show source, the event that you selected to view is highlighted in yellow. Events highlighted in pink contain gaps in the data. Events highlighted in red may have been tampered with and are not valid. For example, if your data was tampered with, it may be indexed out of order and thus contain gaps.


Turn field discovery off to improve search performance

If you are running a search that ordinarily takes a long time to complete, you can set the Field discovery toggle to Off to make the search run faster.

Field discovery callout.png

The tradeoff is that turning off Field discovery disables automatic field extraction, except for fields that are required to fulfill your search (such as fields that you are specifically searching on) and default fields such as _time, host, source, and sourcetype. The search runs faster because Splunk is no longer trying to extract every field possible from your events.

Field discovery is set to On by default. You should leave it on if you don't know what fields exist in your data and think you might need them to help you narrow down your search in some way.

For more information about searching with fields, see the Capture Knowledge chapter of this manual. For general information about fields and field extraction, see "About fields" in the Knowledge Manager Manual.

PREVIOUS
Use search actions
  NEXT
Change the time range to narrow your search

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters