Whats in Splunk Search
Splunk Search is an app that enables you to run searches, build reports, and create dashboards. This topic discusses the parts of the Search app.
Access the Search app from anywhere in Splunk from the App list in the system navigation bar located at the upper right corner. When you first enter Splunk Search, you're taken to the Search Summary dashboard. After you run a search, you will see more actions for managing in-progress searches and options to manage finalized searches.
Menu items in the app navigation bar:
- Status: Use this menu to access dashboards that monitor the status of index and server activities on your Splunk instance.
- Dashboards & Views: Use this menu to access other dashboards in the Search app.
- Searches & Reports: Use this menu to access and manage all of your saved searches and reports.
The Search Summary
The Summary dashboard displays information about the data that you just uploaded to this Splunk server and gives you the means to start searching this data. The metrics displayed on this dashboard are generated by saved searches that run behind-the-scenes whenever you access and reload this page.
- Search bar Use the search bar to type in your search string.
- Time range menu: Select a time range over which to retrieve events.
- All indexed data panel: Displays metrics about your indexed event data. which include the total number of events you have in your Splunk index(es) and the timestamps of the earliest and latest indexed event. It also tells you when this data was last refreshed (or when you last reloaded this dashboard).
- Sources panel: Displays the top sources from the data on your Splunk server.
- Source Types panel: Displays the top source types from your Splunk server's data.
- Hosts: Displays the top hosts from your Splunk server's data.
The Search view
The search bar and time range picker should be familiar to you -- it was also in the Summary dashboard. But, now you also see a count of events, the timeline, the fields menu, and the list of retrieved events or search results.
- Search mode: Use Search mode to control the search experience. You can set it to speed up searches by cutting down on the event data it returns (Fast mode), or you can set it to return as much event information as possible (Verbose mode). In Smart mode (the default setting) it automatically toggles search behavior based on the type of search you're running. See "Set search mode to adjust your search experience" in the Search Manual for more information.
- Search actions: Use these buttons to control the search job before the search completes, or perform actions on the results after the search completes. If the button is not available, it will be inactive and greyed out.
- If you're running a search that takes a long time to complete, you might want to: Send to background, Pause, Finalize, Cancel, or Inspect.
- After the search completes you can Print the results.
- Use the Save menu to access save options for the search and search results.
- Use the Create menu to create dashboards, alerts, reports, etc.
- Count of matching and scanned events: As the search runs, Splunk displays two running counts of the events as it retrieves them: one is a matching event count and the other is the count of events scanned. When the search completes, the count that appears above the timeline displays the total number of matching events. The count that appears below the timeline and above the events list, tells you the number of events during the time range that you selected. As we'll see later, this number changes when you drill down into your investigations.
- Timeline of events: The timeline is a visual representation of the number of events that occur at each point in time. As the timeline updates with your search results, you might notice clusters or patterns of bars. The height of each bar indicates the count of events. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. Thus, the timeline is useful for highlighting patterns of events or investigating peaks and lows in event activity. The timeline options are located above the timeline. You can zoom in, zoom out, and change the scale of the chart.
- Fields sidebar: When you index data, Splunk by default automatically recognizes and extracts information from your data that is formatted as name and value pairs, which we call fields. When you run a search, Splunk lists all of the fields it recognizes in the fields sidebar next to your search results. You can select other fields to show in your events. Also, you can hide this sidebar and maximize the results area.
- selected fields are fields that are set to be visible in your search results. By default, host, source, and sourcetype are shown.
- interesting fields are other fields that Splunk has extracted from your search results.
- Results area: The results area, located below the timeline, displays the events that Splunk retrieves to match your search.
- By default, the results are displayed as a list of events, ordered from most recent. You can use the icons at the upper left of the panel to view the results as a table (click on the Table icon) or chart (click on the Chart icon).
- If you want to export the search results, use the Export button. You can specify the output format as CSV, raw events, XML, or JSON.
- Select Options to change how the events display in the results area, for example: wrap results, show or hide row numbers, etc.
Welcome to the Search Manual
Perform actions on running searches
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18