Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About search

This chapter discusses search, the structure of a Splunk search, the search language and its syntax, some tools to help construct and troubleshoot your search, and some tips for writing better searches.

Types of searches

Before delving into the language and syntax of search, you should ask what you are trying to accomplish. Generally, after getting data into Splunk, you want to:

  • Investigate to learn more about the data you just indexed or to find the root cause of an issue.
  • Summarize your search results into a report, whether tabular or other visualization format.

Because of this, you might hear us refer to two types of searches: Raw event searches and Report-generating searches.

Raw event searches

Raw event searches are searches that just retrieve events from an index or indexes and are typically done when you want to analyze a problem. Some examples of these searches include: checking error codes, correlating events, investigating security issues, and analyzing failures. These searches do not usually include search commands (except search, itself), and the results are typically a list of raw events.

  • Read more about raw event searches in the "Retrieve events" chapter of this manual, beginning with "About retrieving events".

Transforming searches

Transforming searches are searches that perform some type of statistical calculation against a set of results. These are searches where you first retrieve events from an index and then pass them into one or more search commands. These searches will always require fields and at least one of a set of statistical commands. Some examples include: getting a daily count of error events, counting the number of times a specific user has logged in, or calculating the 95th percentile of field values.

Information density

Whether you're retrieving raw events or building a report, you should also consider whether you are running a search for sparse or dense information:

  • Sparse searches are searches that look for single event or an event that occurs infrequently within a large set of data. You've probably heard these referred to as 'needle in a haystack' or "rare term" searches. Some examples of these searches include: searching for a specific and unique IP address or error code.
  • Dense searches are searches that scan through and report on many events. Some examples of these searches include: counting the number of errors that occurred or finding all events from a specific host.

Search and knowledge

As you search, you may begin to recognize patterns and identify more information that could be useful as searchable fields. You can configure Splunk to recognize these new fields as you index new data or you can create new fields as you search. Whatever you learn, you can use, add, and edit this knowledge about fields, events, and transactions to your event data. This capturing of knowledge helps you to construct more efficient searches and build more detailed reports.

Search with Splunk Web, the CLI, or REST API

Most likely, you'll run a search from Splunk Web in the Search app. But, you might also run a search from the command line interface (CLI) or the REST API. Which tool is best can sometimes depend on what you want from your search.

When you search with Splunk Web, you're using the Search app, and you can control the search experience by selecting a search mode (Fast, Verbose, Smart). Depending on the mode you select, Splunk automatically discovers and extracts fields other than the default fields, returns results as an events list or a table, and runs the calculations required to generate the event timeline. Calculating the event timeline is very expensive because it creates buckets and keeps the statistics for events and fields in a dispatch directory such that it is available when the user clicks a bar on the timeline.

When you run a search through the CLI or use the search jobs endpoint in the REST API to create a search, it goes directly to splunkd without going through splunkweb. These searches can complete much faster than the searches in Splunk Web because Splunk does not calculate or generate the event timeline. Instead, the results of a CLI search display as a raw events list or a table, depending on the type of search.

PREVIOUS
About the search assistant
  NEXT
About the search processing language

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters