Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Start searching

This topic walks you through simple searches using the Search interface. If you're not familiar with the search interface, go back to the Search app tutorial before proceeding.

It's your first day of work with the Customer Support team for the online Flower & Gift shop. You're just starting to dig into the Web access logs for the shop, when you receive a call from a customer who complains about trouble buying a gift for his girlfriend--he keeps hitting a server error when he tries to complete a purchase. He gives you his IP address, 10.2.1.44.

Typeahead for keywords

Everything in Splunk is searchable. You don't have to be familiar with the information in your data because searching in Splunk is free-form and as simple as typing keywords into the search bar and hitting Enter (or clicking that green arrow at the end of the search bar).

In the previous topic, you ran a search from the Summary dashboard by clicking on the Web access source type (access_combined_wcookie). Use that same search to find this customer's recent access history at the online Flower & Gift shop.

1. Type the customer's IP address into the search bar:

sourcetype=access_combined_wcookie 10.2.1.44

As you type into the search bar, Splunk's search assistant opens.


SearchAssistTypeahead4.3.png


Search assistant shows you typeahead, or contextual matches and completions for each keyword as you type it into the search bar. These contextual matches are based on what's in your data. The entries under matching terms update as you continue to type because the possible completions for your term change as well.

Search assistant also displays the number of matches for the search term. This number gives you an idea of how many search results Splunk will return. If a term or phrase doesn't exist in your data, you won't see it listed in search assistant.


What else do you see in search assistant?

For now, ignore everything on the right panel next to the contextual help. Search assistant has more uses once you start learning the search language, as you'll see later. And, if you don't want search assistant to open, click "turn off auto-open" and close the window using the green arrow below the search bar.

More keyword searches

2. If you didn't already, run the search for the IP address. (Hit Enter.)

Splunk retrieves the customer's access history for the online Flower & Gift shop.


Start searching IP 4.3.png


Each time you run a search, Splunk highlights in the search results what you typed into the search bar.

3. Skim through the search results.

You should recognize words and phrases in the events that relate to the online shop (flower, product, purchase, etc.).


Start searching IP keywords 4.3.png


The customer mentioned that he was in the middle of purchasing a gift, so let's see what we find by searching for "purchase".

4. Type purchase into the search bar and run the search:

sourcetype=access_combined_wcookie 10.2.1.44 purchase

When you search for keywords, your search is not case-sensitive and Splunk retrieves the events that contain those keywords anywhere in the raw text of the event's data.

Search results keyword purchase4.3.png


Among the results that Splunk retrieves are events that show each time the customer tried to buy something from the online store. Looks like he's been busy!

Use Boolean operators

If you're familiar with Apache server logs, in this case the access_combined format, you'll notice that most of these events have an HTTP status of 200, or Successful. These events are not interesting for you right now, because the customer is reporting a problem.


Search results HTTP4.3.png


5. Use the Boolean NOT operator to quickly remove all of these Successful page requests. Type in:

sourcetype=access_combined_wcookie 10.2.1.44 purchase NOT 200


You notice that the customer is getting HTTP server (503) and client (404) errors.


Server client errors4.3.png


But, he specifically mentioned a server error, so you want to quickly remove events that are irrelevant.


Splunk supports the Boolean operators: AND, OR, and NOT. When you include Boolean expressions in your search, the operators have to be capitalized.

The AND operator is always implied between search terms. So the search in Step 5 is the same as:

sourcetype=access_combined_wcookie AND 10.2.1.44 AND purchase AND NOT 200


Another way to add Boolean clauses quickly and interactively to your search is to use your search results.

6. Mouse-over an instance of "404" in your search results and alt-click.

This updates your search string with "NOT 404" and filters out all the events that contain the term.


Search results Boolean server error 4.3.png


From these results, you see each time that the customer attempted to complete a purchase and received the server error. Now that you have confirmed what the customer reported, you can continue to drill down to find the root cause.


More about searching for keywords and phrases

When you run a search, you're implicitly using the search command. The search command enables you to use keywords, phrases, fields, boolean expressions, and comparison expressions to specify exactly which events you want to retrieve from a Splunk index(es).

To search with comparison expressions:

  • You can use the "=" and "!=" operator with all field/value pairs.
  • Other comparison operators, ("<", "<=", ">", and ">=") work only with fields that have numeric values.

Also, when specifying phrases to match, you can use the TERM() directive. TERM forces Splunk to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as breaks or delimiters (such as underscores and spaces). Read more about this in the search command reference topic.


Interactive searching

Splunk lets you highlight and select any segment from within your search results to add, remove, and exclude them quickly and interactively using your keyboard and mouse:

  • To add more search terms, highlight and click the word or phrase you want from your search results.
  • To remove a term from your search, click a highlighted instance of that word or phrase in your search results.
  • To exclude events from your search results, alt-click on the term you don't want Splunk to match.

When you're ready to proceed, go to the next topic to learn how to investigate and troubleshoot interactively using the timeline in Splunk.

PREVIOUS
The Search app
  NEXT
Use the timeline

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Comments

Agree with Rtestagr, no other status codes except 200 is in the sample data if I the following search term:<br />sourcetype=access_combined_wcookie AND 10.2.1.44 AND purchase AND NOT 200<br /><br />I think the problem stems from the "Add Data" step in the beginning when using a Windows host. The regex looks like it only picks up the log file from "apache2.splunk.com".<br /><br />I had to unzip the Sampledata.zip file, created a seperate index (in my case, just called "apache") and pulled in each log file manually into my newly created index.<br /><br />Now I get a lot more lines in my index, and I can do my search using the following string:<br />index="apache" AND 10.2.1.44 AND purchase AND NOT 200<br /><br />Might not be correct, but it allows me to continue with the tutorial...

Tiny3001
October 9, 2012

On Ubuntu 12.04 Firefox browser, Alt-click doesn't do anything. Ctrl-click updates the search with "NOT term", but instead of adding "NOT term" onto the existing search, it replaces the existing search with only that.

Scottadavis
October 2, 2012

Rtestagr: i just downloaded the sample today (9/21) and see those values in my data. are you running the <br />sourcetype=access_combined_wcookie AND 10.2.1.44 AND purchase AND NOT 200<br />search? or a different one? are you possibly searching over a different timerange? try all time just in case?

Rachel, Splunker
September 21, 2012

No "404" or "503" codes in sample database downloaded 9/19/2012, so all tutorial examples from that point on are meaningless to me.

Rtestagr
September 19, 2012

Thanks. I've corrected Step 6!

Sophy, Splunker
May 8, 2012

In Step 6: "Mouse-over an instance of "404" in your search results and alt-click (for Windows, use ctrl-click)."<br /><br />I've found in Windows XP SP2 it is alt-click to enable a "NOT 404"

Charannaik
May 8, 2012

In Step 6: "Mouse-over an instance of "404" in your search results and alt-click (for Windows, use ctrl-click)."<br /><br />I've found in Windows 2008 it is alt-click to enable a "NOT 404"

Dmarkiewicz
March 1, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters