Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About the search results tabs

This topic discusses the three search results tabs: Events, Statistics, and Visualizations.

6.1 tutorial results tabs.png


When you run a search, the types of search commands you use affects which search results tab get populated. If your search retrieves events, you can view the results in the Events tab, but not in the other tabs. If your search includes transforming commands, you can view the results in the Statistics and Visualization tabs.

Events

The following search retrieves events and populates the Events results tab:

6.1 tutorial events tabs.png


Results area: The results area for the Events tab includes the timeline, the fields sidebar, and the events viewer. To change the event view, use the List and Format options. By default, the events appear as a list that is ordered from the most recent event. In each event, the matching search terms is highlighted.

Timeline of events: A visual representation of the number of events that occur at each point in time. As the timeline updates with your search results, you might notice clusters or patterns of bars. The height of each bar indicates the count of events. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. Thus, the timeline highlights patterns of events or investigates peaks and lows in event activity. The timeline options are located above the timeline. You can zoom in, zoom out, and change the scale of the chart.

Fields sidebar: When you index data, Splunk by default extracts information from your data that is formatted as name and value pairs, which we call fields. When you run a search, Splunk lists all of the fields it discovers in the fields sidebar next to your search results. You can select other fields to show in your events. Also, you can hide this sidebar and maximize the results area.

  • Selected fields are set to be visible in your search results. By default, host, source, and sourcetype appear.
  • Interesting fields are other fields that Splunk has extracted from your search results.

Statistics

If you clicked the Statistics tab for the previous search example, you would not see any results because it does not have any transforming commands.

6.1 tutorial statisticstabs f.png


With a transforming search, such as one to find the popular categories of items sold on the Buttercup Games online store, Statistics displays a table of results.

6.1 tutorial statisticstab t.png

Visualizations

You can also view the previous example in the Visualizations tab. The results area of the Visualizations tab consists of a chart and the statistics table used to generated the chart.

6.1 tutorial visualisationstab.png


You can change the type of visualization and format using the menus above the visualization chart area. The default visualization type is a Column chart.

6.1 tutorial visualization options.png


When you click Column, the menu of chart types opens. Recommended next to a chart type indicates the visualization that Splunk Enterprise suggests based on the search.

Next steps

This secton explained how to use and navigate the Search dashboard, but you will not get a feel for Splunk Search until you start searching.

PREVIOUS
About search actions and modes
  NEXT
Start searching

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters