The Search app
This topic assumes you've just added the sample data for the online Flower & Gift shop. If you haven't, go back to the add data tutorial to get it before proceeding.
Once you have data in Splunk, you're ready to start searching. This topic introduces you to the Search app, which is Splunk's default interface for searching and analyzing data. If you're already familiar with the search interface, you can skip ahead and start searching.
The Backstory: You are a member of the Customer Support team for the online Flower & Gift shop. This is your first day on the job. You want to learn some more about the shop. Some questions you want answered are:
- What does the store sell? How much does each item cost?
- How many people visited the site? How many bought something today?
- What is the most popular item that is purchased each day?
The Splunk server already has data in it--let's take a look at it.
Find the Search app
You can access the Search app from anywhere in Splunk from the App list in the system navigation bar located at the upper right corner.
If the App list is not available, click the << Back to Home link at the top left corner of the page:
Once you're back in Home, select Search from the App list. The first view that you see in the Search app is the Summary dashboard.
The Summary dashboard
The Search app's Summary dashboard displays information about the data that you just uploaded to this Splunk server and gives you the means to start searching this data.
The metrics displayed on this dashboard are generated by saved searches that run behind-the-scenes whenever you access and reload this page. (By the end of this tutorial, you'll be able to run searches, save them, and use them to build your own dashboard, much like this one.)
What's in this dashboard?
The Search app includes many different dashboards and views. For now, you really only need to know about two of them:
- Summary, where you are now
- Search, where you will do most of your searching
Use the Search app navigation bar to locate and access the different views in the Search app. When you click on the links, Splunk takes you to the respective dashboards or refreshes the page if you're already there.
Other things in the Search app UI:
- Searches & Reports: lists all of your saved searches and reports.
- Search bar and Time range picker: enables you to type in your search and select different time ranges over which to retrieve events.
- All indexed data panel: displays metrics about your indexed event data. which include the total number of events you have in your Splunk index(es) and the timestamps of the earliest and latest indexed event. It also tells you when this data was last refreshed (or when you last reloaded this dashboard).
- Sources panel: displays the top sources from the data on your Splunk server.
- Sourcetypes panel: displays the top source types from your Splunk server's data.
- Hosts: displays the top hosts from your Splunk server's data.
If you're using a freshly installed Splunk server for this tutorial, you'll only see the sample data files that you just uploaded. Because it's a one-time upload of a file, this data will not change. When you add more data, there will be more information on this dashboard. If you add data inputs that point to sources that are not static (such as log files that are being written to by applications), the numbers on the Summary page will change as more data comes in from your source(s).
If you're using a shared or pre-installed Splunk server that is deployed in an enterprise environment, you'll probably see much more information on this dashboard.
Kick off a search
1. Take a closer look at the Summary dashboard.
In the Sources panel, you should see three Apache Web server logs and a mySQL database log for the online Flower & Gift shop data that you just uploaded. If you're familiar with Apache Web server logs, you might recognize the access_combined_wcookie Source type as one of the log formats associated with Web access logs. All the data for this source type should give you information about people who access the Flower & Gift shop website.
Searching in Splunk is very interactive. Although you have a search bar in the Summary dashboard, you don't need to type anything into it just yet. Each of the sources, sourcetypes, and hosts listed in the Summary dashboard is a link that will kick off a search when you click on them.
2. In the Sourcetypes panel, click
Splunk takes you to the Search dashboard, where it runs the search and shows you the results:
There are a lot of components to this view, so let's take a look at them before continuing to search.
Splunk paused my search?
If you are searching on a Splunk installation that has more data on it than just this tutorial's sample data, your search might take a bit longer. If your search takes longer than 30 seconds, Splunk will automatically pause it. If autopause pops up, click Resume search. You can read more about autopause in the Admin manual.
What's in this Search dashboard?
The search bar and time range picker should be familiar to you -- it was also in the Summary dashboard. But, now you also see a count of events, the timeline, the fields menu, and the list of retrieved events or search results.
- Search actions: Use these buttons to save a search, create a report or dashboard, or print your report to a PDF file.
- Count of matching and scanned events: As the search runs, Splunk displays two running counts of the events as it retrieves them: one is a matching event count and the other is the count of events scanned. When the search completes, the count that appears above the timeline displays the total number of matching events. The count that appears below the timeline and above the events list, tells you the number of events during the time range that you selected. As we'll see later, this number changes when you drill down into your investigations.
- Timeline of events: The timeline is a visual representation of the number of events that occur at each point in time. As the timeline updates with your search results, you might notice clusters or patterns of bars. The height of each bar indicates the count of events. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. Thus, the timeline is useful for highlighting patterns of events or investigating peaks and lows in event activity. The timeline options are located above the timeline. You can zoom in, zoom out, and change the scale of the chart.
- Fields sidebar: We mentioned before that when you index data, Splunk by default automatically recognizes and extracts information from your data that is formatted as name and value pairs, which we call fields. When you run a search, Splunk lists all of the fields it recognizes in the fields sidebar next to your search results. You can select other fields to show in your events.
- selected fields are fields that are set to be visible in your search results. By default, host, source, and sourcetype are shown.
- interesting fields are other fields that Splunk has extracted from your search results.
- Field discovery is an on/off switch at the top of the Fields menu. Splunk turns Field discovery on by default. If you want to speed up your search, you can turn Field discovery off, and Splunk will extract only the fields required to complete your search.
- Results area: The results area, located below the timeline, displays the events that Splunk retrieves to match your search. By default the results are displayed as a list, but you can also choose to view a table or chart in the area.
When you're ready, proceed to the next topic to start searching and find out what's up at the flower shop.
Add data to Splunk
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7