Splunk® Enterprise

Search Tutorial

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Start searching

You uploaded the tutorial data file into Splunk and read about how to use Splunk Search. In this section, you start searching that tutorial data. This topic discusses searches that retrieve events from the index.

What to search

Click Search in the App navigation bar.

Look at the What to search panel.

Search Tutorial aboutsearchapp.png

Review the tutorial data, which represents a fictitious online game store, called Buttercup Games. The tutorial data includes five hosts, eight sources, and three source types. The three source types are Apache web access logs (access_combined_wcookie), Linux secure formatted logs (secure), and the vendor sales log (vendor_sales).

Most of this tutorial covers searching the Apache web access logs and correlating it with the vendor sales logs.

Retrieve events from the index

You have data for an online store that sells a variety of games. Try to find out what types of games are sold: strategy, arcade, simulation, shooter, sports?

1. Open Splunk Search, and type buttercupgames into the search bar:

Tutorial search assistant.png

As you type, the Search Assistant opens and starts suggesting completions for your search based on terms it matches in your events. Search assistant also displays the number of matches for the search term. This number gives you an idea of how many search results Splunk will return. If a term or phrase doesn't exist in your data, you will not see it listed in search assistant. Search assistant has more uses after you start learning the Splunk Enterprise search processing language.

If you do not want search assistant to open, click Auto Open to remove the check mark. If you need search assistant after you turn off Auto Open, click the down arrow below the search bar to open it back up again. You can toggle on or off Auto Open by clicking it.

When you run the search for buttercupgames, Splunk Enterprise retrieves 36,819 events.

2. Search for simulation and strategy games. Use Boolean directives: AND, OR, NOT. For example:

buttercupgames (simulation OR strategy)

Boolean directives must be in capital letters. The AND directive is implied between terms, so you do not need to write it. You can use parentheses to group terms. When evaluating boolean expressions, precedence is given to terms inside parentheses. AND or NOT clauses are evaluated before OR clauses.

The search command

Each time you type keywords and phrases, you implicitly use the search command to retrieve events from a Splunk index. The search command lets you use keywords, phrases, fields, boolean expressions, and comparison expressions to specify which events you want to retrieve.

For information about other search methods, see "Use the search command" in the Search manual. See the search command topic in the Search Reference.

Next steps

Go to "Use fields to search" to learn how to search with fields.

Last modified on 28 June, 2016
About the search results tabs
Use fields to search

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters