About the Search dashboard
In the previous chapter, you learned about the types of data Splunk Enterprise works with, downloaded the tutorial sample data, and added the data into your Splunk index. This chapter familiarizes you with Splunk Search. There are a few things to cover before you start searching the sample data.
Find Splunk Search
If your are in Splunk Home, look for the Search & Reporting app and click Search. This takes you to the Search landing page.
Before you run a search...
Before you run a search, the main parts of Search are the search bar, the time range picker, the How to search panel, and the What to search panel.
Use the search bar to run your searches in Splunk Web. Type in your search string and hit enter or click the spyglass icon to the right of the time range picker.
Time range picker
Use the time range picker to retrieve events over a specific time period. For real-time searches you can specify a window over which to retrieve events. For historical searches, you can restrict your search by specifying a relative time range (15 minutes ago, Yesterday, and so on) or a specific date and time range. The time range picker has many preset time ranges that you can select from, but you can also enter a custom time range.
The time range picker is discussed in detail in, "About the time range picker".
How to search
The "How to search" panel links you to the Search Tutorial and Search Manual to learn about how to write searches.
What to search
The "What to search" panel displays a summary of the data that is installed on this Splunk instance and that you are authorized to view. To see this data, click Data Summary.
The Data Summary dialog box opens, which displays three tabs: Hosts, Sources, Sourcetypes.
The host of an event is typically the host name, IP address, or fully qualified domain name of the network machine from which the event originated.
The source of an event is the file or directory path, network port, or script from which the event originated.
The source type of an event tells you what kind of data it is, usually based on how it's formatted. This classification lets you search for the same type of data across multiple sources and hosts.
For information about how Splunk Enterprise source types your data, read "Why source types matter" in the Getting Data In manual.
After you run a search
Type the following into the searchbar:
The New Search page opens. The search bar and time range picker are still available in this view, but the dashboard updates with many more elements: search action buttons and search mode selector; counts of events; job status bar; and tabs for Events, Statistics, and Visualizations.
The next topics in this chapter discuss each of these parts of the Search view.
Continue reading to learn about restricting searches to a time range.
Get the tutorial data into Splunk
About the time range picker
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.13, 6.1.14