Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use the search language

The searches you have run to this point have retrieved events from your Splunk index. You were limited to asking questions that could only be answered by the number of events returned.

For example, in the last topic, you ran this search to see how many simulation games were purchased:

sourcetype=access_* status=200 action=purchase categoryId=simulation

To find this number for the days of the previous week, you have to run it against the data for each day of that week. To see which products are more popular than the other, you have to run the search for each of the eight categoryId values and compare the results.

Learn with search assistant

In the "Start searching" topic, you were introduced to the search assistant. This section explains in more detail one of the ways you can use the search assistant to learn about the Splunk search processing language and construct searches.

1. Return to the search dashboard and restrict your search to Yesterday:

sourcetype=access_* status=200 action=purchase

As you type in the search bar, search assistant opens with syntax and usage information for the search command (on the right side). If search assistant doesn't open, click the down arrow under the left side of the search bar.

6.2tutorial splass 1.png

You've seen before that search assistant displays typeahead for keywords that you type into the search bar. It also explains briefly how to search.

2. Type a pipe character, " | ", into the search bar.

The pipe indicates to Splunk that you're about to use a command, and that you want to use the results of the search to the left of the pipe as the input to this command. You can pass the results of one command into another command in a series, or pipeline, of search commands.

6.2tutorial splass pipe.png

You want Splunk to give you the most popular items bought at the online store.

3. Under common next commands, click top.

Splunk Enterprise appends the top command to your search string.

6.2tutorial splass top.png

According to search assistant's description and usage examples, the top command "displays the most common values of a field."

4. Type the categoryId field into the search bar to complete your search.

sourcetype=access_* status=200 action=purchase | top categoryId

5. Run the search.

6.2tutorial topsearch intro.png

The count of events under the search bar indicates the number of events retrieved that match the search for sourcetype=access_* status=200 action=purchase. The results of the top command appear in the Statistics tab.

View reports in the Statistics tab

The results of a search are reports. The top command is a transforming command and returns a tabulated report for the most common values of categoryId. You can view the results of transforming searches in the Statistics tab.

6.1 tutorial top statistics.png

In this search for successful (status=200) purchases (action=purchase), Splunk Enterprise found seven different category IDs. This report lists the category ID values in order from highest to lowest.

The top command also returns two new fields: count is the number of times each value of the field occurs, and percent is how large that count is compared to the total count. See more about the top command in the Search reference manual.

View and format reports in the Visualization tab

You can also view the results of transforming searches in the Visualizations tab where you can format the chart type. For example, a search using the top command can be illustrated with a pie chart.

1. Click the Visualization tab.

By default, the Visualizations tab opens with a Column Chart.

2. Click Column to open the visualization type selector.

6.1 tutorial usesearch visualization.png

Column, Bar, and Pie charts are recommended for this data set.

3. Select Pie.

Now, your report looks like this:

6.1 tutorial topviz pie.png

You can turn on drill down to delve deeper into the details of the information presented to you in the tables and charts that result from your search.

4. Mouse over each slice of the pie to see the count and percentage values for each categoryId.

6.1 tutorial pie mouseover.png

5. Click on a slice, such as "Strategy".

Splunk Enterprise appends categoryId=strategy to your original search for successful purchases and runs this new search.

6.1 tutorial drilldown.png

Read more about drilldown actions in the Splunk Data Visualizations Manual.

Next steps

Go to the next topic to learn about correlating events with subsearches.

Use fields to search
Use a subsearch

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters