You uploaded the tutorial data file into Splunk and read about how to use Splunk Search. In this section, you start searching that tutorial data. This topic discusses searches that retrieve events from the index.
What to search
Click Search in the App navigation bar.
Look at the What to search panel.
Review the tutorial data, which represents a fictitious online game store, called Buttercup Games. The tutorial data includes five hosts, eight sources, and three source types. The three source types are Apache web access logs (access_combined_wcookie), Linux secure formatted logs (secure), and the vendor sales log (vendor_sales).
Most of this tutorial covers searching the Apache web access logs and correlating it with the vendor sales logs.
Retrieve events from the index
You have data for an online store that sells a variety of games. Try to find out what types of games are sold: strategy, arcade, simulation, shooter, sports?
1. Open Splunk Search, and type buttercupgames into the search bar:
As you type, the Search Assistant opens and starts suggesting completions for your search based on terms it matches in your events. Search assistant also displays the number of matches for the search term. This number gives you an idea of how many search results Splunk will return. If a term or phrase doesn't exist in your data, you will not see it listed in search assistant. Search assistant has more uses after you start learning the Splunk Enterprise search processing language.
If you do not want search assistant to open, click Auto Open to remove the check mark. If you need search assistant after you turn off Auto Open, click the down arrow below the search bar to open it back up again. You can toggle on or off Auto Open by clicking it.
When you run the search for buttercupgames, Splunk Enterprise retrieves 36,819 events.
2. Search for simulation and strategy games. Use Boolean directives: AND, OR, NOT. For example:
buttercupgames (simulation OR strategy)
Boolean directives must be in capital letters. The AND directive is implied between terms, so you do not need to write it. You can use parentheses to group terms. When evaluating boolean expressions, precedence is given to terms inside parentheses. AND or NOT clauses are evaluated before OR clauses.
The search command
Each time you type keywords and phrases, you implicitly use the
search command to retrieve events from a Splunk index. The search command lets you use keywords, phrases, fields, boolean expressions, and comparison expressions to specify which events you want to retrieve.
Go to "Use fields to search" to learn how to search with fields.
About the search results tabs
Use fields to search
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.13, 6.1.14