About the search results tabs
This search discusses the three search results tabs: Events, Statistics, and Visualizations.
When you run a search, the types of search commands you use affects which search results tab get populated. If your search retrieves events, you can view the results in the Events tab, but not in the other tabs. If your search includes transforming commands, view the results in the Statistics and Visualization tabs.
The following search retrieves events and populates the Events results tab:
Timeline of events: A visual representation of the number of events that occur at each point in time. As the timeline updates with your search results, you might notice clusters or patterns of bars. The height of each bar indicates the count of events. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. Thus, the timeline highlights patterns of events or investigates peaks and lows in event activity. The timeline options are located above the timeline. You can zoom in, zoom out, and change the scale of the chart.
Fields sidebar: When you index data, Splunk by default extracts information from your data that is formatted as name and value pairs, which we call fields. When you run a search, Splunk lists all of the fields it discovers in the fields sidebar next to your search results. You can select other fields to show in your events. Also, you can hide this sidebar and maximize the results area.
- selected fields are set to be visible in your search results. By default, host, source, and sourcetype appear.
- interesting fields are other fields that Splunk has extracted from your search results.
Results area: The results area, located below the timeline, displays the events that Splunk retrieves to match your search. By default, the results appear as a list of events, ordered from most recent. Use the icons at the upper left of the panel to view the results as a table (click on the Table icon) or chart (click on the Chart icon).
If you clicked the Statistics tab for the previous search example, you would not see any results because it does not have any transforming commands.
With a transforming search, such as one to build a chart of the top product categories sold at the Buttercup Games online store, Statistics displays a table of results.
You can also view the previous example in the Visualizations tab. It displays as a chart visualization that you can format further.
This secton explained how to use and navigate the Search dashboard, but you will not get a feel for Splunk Search until you start searching.
About search actions and modes
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.13, 6.1.14