Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Set search mode to adjust your search experience

You can use the search mode selector to provide a search experience that fits your needs. Depending on how you set it you can see all the data available for your search (at the expense of longer search times), or you can speed up and streamline your search in certain ways.

The search mode selector is at the upper right-hand corner of the search bar. The available modes are Smart (default), Fast, and Verbose:

5.0 search mode.jpg

The Fast and Verbose modes represent the two ends of the search mode spectrum. The default Smart mode switches between them depending on the type of search that you are running. Whenever you first run a saved search, it will run in Smart mode.

Selecting the Fast mode

If you select Fast, you want Splunk to put search performance first, and you're not interested in seeing nonessential field or event data. This means that it won't return all of the data possible for the search--only what is essential and required. When you use the Fast search mode, Splunk:

  • Disables field discovery. Field discovery is the process Splunk uses to extract fields aside from default fields such as host, source, and sourcetype. This means that Splunk only returns information on default fields and fields that are required to fulfill your search (if you are searching on certain fields, it will extract those fields).
  • Only depicts search results as report result tables or visualizations when you run a reporting search (a search that includes reporting commands). Under the Fast mode you'll only see event lists and see event timelines for searches that do not include reporting commands.

Selecting the Verbose mode

If you select Verbose, you want Splunk to return all of field and event data it possibly can, even if it means the search takes longer to complete, and even if the search includes reporting commands. When you run a search using the Verbose search mode, Splunk:

  • Discovers all of the fields it can. This includes default fields, automatic search-time field extractions, and all user-defined index-time and search-time field extractions. Discovered fields are displayed in the left-hand sidebar.
  • Returns an event list view of results and generates the search timeline. It also generates report tables and visualizations if your search includes reporting commands.

You may want to use the Verbose mode if you're putting together a reporting search but aren't exactly sure what fields you need to report on, or if you need to verify that you are summarizing the correct events.

Note: Searches cannot benefit from report acceleration when you run them in Verbose mode. If you selected Turn on acceleration when you saved the search and it has been running faster as a result, be aware that if you switch the mode of the search to Verbose it will run at a slower, non-accelerated pace.

Report acceleration is designed to be used with slow-completing searches that have over 100k events and which utilize reporting commands. For more information see "Save searches and share search results," in the Knowledge Manager Manual.

Selecting the Smart mode

Smart is the default search mode. It's also the mode that all saved searches run in when you first run them. It's designed to give you the best results for the search you're running. If you're just searching on events, you get all the event information you need. If you're running a reporting search, Splunk favors speed over thoroughness and brings you straight to the report result table or visualization.

When you run a Smart mode search that does not include reporting commands, Splunk behaves as if it were in Verbose mode. It:

  • Discovers all the fields it can.
  • Generates the full event list and event timeline. No event table or visualization will appear because you need reporting commands to make those happen.

When you run a Smart mode search that does include reporting commands, Splunk behaves as if it were in Fast mode. It:

  • Disables field discovery.
  • Does not waste time generating the event list and event timeline and jumps you straight to the report result table or visualization.

For more information about reporting commands and reporting searches, see "About reporting commands" in the Search Manual.

PREVIOUS
Perform actions on running searches
  NEXT
About the search assistant

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

Is there a way to configure the default search mode globally or per role?

Arexpertz, Splunker
March 19, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters