Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Set search mode to adjust your search experience

You can use the search mode selector to provide a search experience that fits your needs. Depending on how you set it you can see all the data available for your search (at the expense of longer search times), or you can speed up and streamline your search in certain ways.

The search mode selector is at the upper right-hand corner of the search bar. The available modes are Smart (default), Fast, and Verbose:

6.0 searchmode.png

The Fast and Verbose modes represent the two ends of the search mode spectrum. The default Smart mode switches between them depending on the type of search that you are running. Whenever you first run a saved search, it will run in Smart mode.

Selecting the Fast mode

If you select Fast, you want Splunk to put search performance first, and you're not interested in seeing nonessential field or event data. This means that it won't return all of the data possible for the search--only what is essential and required. When you use the Fast search mode, Splunk:

  • Disables field discovery. Field discovery is the process Splunk uses to extract fields aside from default fields such as host, source, and sourcetype. This means that Splunk only returns information on default fields and fields that are required to fulfill your search (if you are searching on certain fields, it will extract those fields).
  • Only depicts search results as report result tables or visualizations when you run a reporting search (a search that includes transforming commands). Under the Fast mode you'll only see event lists and see event timelines for searches that do not include transforming commands.

For more information about what Splunk Enterprise does when field discovery is enabled or disabled, see "About fields" in the Knowledge Manager Manual.

Selecting the Verbose mode

If you select Verbose, you want Splunk to return all of field and event data it possibly can, even if it means the search takes longer to complete, and even if the search includes reporting commands. When you run a search using the Verbose search mode, Splunk:

  • Discovers all of the fields it can. This includes default fields, automatic search-time field extractions, and all user-defined index-time and search-time field extractions. Discovered fields are displayed in the left-hand sidebar.
  • Returns an event list view of results and generates the search timeline. It also generates report tables and visualizations if your search includes reporting commands.

You may want to use the Verbose mode if you're putting together a transforming search but aren't exactly sure what fields you need to report on, or if you need to verify that you are summarizing the correct events.

Note: Reports cannot benefit from report acceleration when you run them in Verbose mode. If you enable report acceleration for a report and it has been running faster as a result, be aware that if you switch the mode of the search to Verbose it will run at a slower, non-accelerated pace.

Report acceleration is designed to be used with slow-completing searches that have over 100k events and which utilize transforming commands. For more information see "Accelerate reports," in the Reporting Manual.

Selecting the Smart mode

Smart is the default search mode. It's also the mode that all reports run in after they're first created. It's designed to give you the best results for whatever search or report you're running. If you're just searching on events, you get all the event information you need. If you're running a transforming search, Splunk favors speed over thoroughness and brings you straight to the report result table or visualization.

When you run a Smart mode search that does not include transforming commands, Splunk behaves as if it were in Verbose mode. It:

  • Discovers all the fields it can.
  • Generates the full event list and event timeline. No event table or visualization will appear because you need transforming commands to make those happen.

When you run a Smart mode search that includes transforming commands, Splunk behaves as if it were in Fast mode. It:

  • Disables field discovery.
  • Does not waste time generating the event list and event timeline and jumps you straight to the report result table or visualization.

For more information about transforming commands and transforming searches, see "About reporting commands" in the Search Manual.

PREVIOUS
Perform actions on running searches
  NEXT
About the search assistant

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters