Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Welcome to the Search Manual

Now you've got all that data in your system...what do you want to do with it? Start by using Splunk's powerful search functionality to look for anything, not just a handful of predetermined fields. Combine time and term searches. Find errors across every tier of your IT infrastructure and track down configuration changes in the seconds before a system failure occurs.

This manual discusses the search language and how to write a search in Splunk.

Before you start reading about search, make sure you:

  • Have access to data on your local machine or a remote server. Read more about getting data into Splunk in the "Getting Data In Manual".
  • Understand how indexing works in Splunk. Read more about how Splunk processes data in the "Managing Indexers Manual".
  • Understand fields and knowledge objects, such as source type and event type. Read more about Knowledge objects in Splunk in the "Knowledge Manager Manual".
  • Be familiar with the Search app and the search and reporting dashboards. If you're new to Splunk and search, the "SplunkTutorial" is a great place to start--It guides you through adding data, searching your data, and building simple reports and dashboards.

If you're just interested in the list of search commands and arguments available for searching in Splunk, refer to the Search Reference Manual.

Whats in Splunk Search

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters