Use the search language
The searches you have run to this point have retrieved events from your Splunk index. You were limited to asking questions that could only be answered by the number of events returned.
For example, in the last topic, you ran this search to see how many simulation games were purchased:
sourcetype=access_* status=200 action=purchase categoryId=simulation
To find this number for the days of the previous week, you have to run it against the data for each day of that week. To see which products are more popular than the other, you have to run the search for each of the eight
categoryId values and compare the results.
Learn with search assistant
In the "Start searching" topic, you were introduced to the search assistant. This section explains in more detail one of the ways you can use the search assistant to learn about the Splunk search processing language and construct searches.
1. Return to the search dashboard and restrict your search to Yesterday:
sourcetype=access_* status=200 action=purchase
As you type in the search bar, search assistant opens with syntax and usage information for the search command (on the right side). If search assistant doesn't open, click the down arrow under the left side of the search bar.
You've seen before that search assistant displays typeahead for keywords that you type into the search bar. It also explains briefly how to search.
2. Type a pipe character, " | ", into the search bar.
The pipe indicates to Splunk that you're about to use a command, and that you want to use the results of the search to the left of the pipe as the input to this command. You can pass the results of one command into another command in a series, or pipeline, of search commands.
You want Splunk to give you the most popular items bought at the online store.
3. Under common next commands, click top.
Splunk Enterprise appends the
top command to your search string.
According to search assistant's description and usage examples, the top command "displays the most common values of a field."
4. Type the
categoryId field into the search bar to complete your search.
sourcetype=access_* status=200 action=purchase | top categoryId
5. Run the search.
The count of events under the search bar indicates the number of events retrieved that match the search for
sourcetype=access_* status=200 action=purchase. The results of the top command appear in the Statistics tab.
View reports in the Statistics tab
The results of a search are reports. The
top command is a transforming command and returns a tabulated report for the most common values of
categoryId. You can view the results of transforming searches in the Statistics tab.
In this search for successful (
status=200) purchases (
action=purchase), Splunk Enterprise found seven different category IDs. This report lists the category ID values in order from highest to lowest.
The top command also returns two new fields:
count is the number of times each value of the field occurs, and
percent is how large that count is compared to the total count. See more about the top command in the Search reference manual.
View and format reports in the Visualization tab
You can also view the results of transforming searches in the Visualizations tab where you can format the chart type. For example, a search using the
top command can be illustrated with a pie chart.
1. Click the Visualization tab.
By default, the Visualizations tab opens with a Column Chart.
2. Click Column to open the visualization type selector.
Column, Bar, and Pie charts are recommended for this data set.
3. Select Pie.
Now, your report looks like this:
You can turn on drill down to delve deeper into the details of the information presented to you in the tables and charts that result from your search.
4. Mouse over each slice of the pie to see the count and percentage values for each categoryId.
5. Click on a slice, such as "Strategy".
Splunk Enterprise appends
categoryId=strategy to your original search for successful purchases and runs this new search.
Read more about drilldown actions in the Splunk Data Visualizations Manual.
Go to the next topic to learn about correlating events with subsearches.
Use fields to search
Use a subsearch
This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12