Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Run a drilldown search on event details

After running a search that returns events in the Events tab, click on parts of those events to run different kinds of drilldown searches that use the event detail that you have selected.

In the Events tab you can run a drilldown search when you click on these parts of an event:

  • Segment (can be a connected string of segments)
  • Field value
  • Tag
  • Timestamp

Drilldown searches for field values, tags, and segments

The drilldown searches can perform the following actions for fields, tags, and event segments.

Drilldown search action Description Result
Add to search Add a focus on the selected event detail to the original search and run it. Transforming search commands and anything following them are discarded. A dataset similar to the one from the original search, filtered to include only events that have the selected field, tag, or segment(s).
Exclude from search Add an exclusion of the selected event detail to the original search and run it. Transforming search commands and anything following them are discarded. A dataset similar to the one from the original search, filtered to include only events that do not have the selected field, tag, or segment(s).
New search Run a new search that focuses exclusively on the selected field, tag, or segment(s). A new dataset containing any event that includes the field, tag, or segment(s).

.

All of these drilldown searches use the same time range as the original search.

For example, start with this search. It has a time range of Last 7 days.

sourcetype=access_combined status=4*

In the results for that first search, open an event and select the value 69.72.161.186 for the clientip field.

If you click Add to search, Splunk Enterprise runs this search over the past 7 days.

sourcetype=access_combined status=4* clientip="69.72.161.186"

If you click Exclude from search, Splunk Enterprise runs this search over the past 7 days.

sourcetype=access_combined status=4* clientip!="69.72.161.186"

If you click New search, Splunk Enterprise runs this search over the past 7 days.

clientip="69.72.161.186"

Run a drilldown search based on an event segment

A segment is a searchable part of an event. See "About event segmentation" in the Getting Data In Manual to learn how segments are configured and created.

1. In the Search & Reporting app, run a search or report that returns an event listing in the Events tab.

If your search includes transforming commands, set the Search Mode to Verbose.

2. Set the event display to List or Raw if it is currently set to Table.

3. Find an event with a segment or connected set of segments that you want to base a drilldown search on and use your cursor to select it.

Splunk Enterprise identifies your segment selection with yellow highlighting.

4. Click on the segment.

A set of secondary search options appears. The options are Add to search, Exclude from search, and New search. See the table at the top of this topic for explanations of these options.

Eventsecsrch segment.png

5. Click a drilldown search option.

Run the secondary search in the current tab and replace your current search, or run the secondary search in a new tab and leave your current search results intact. To run the search in the current tab, click the option text. To run the search in a new tab, click the Open In New Tab icon Secsrch run in sep tab icon.png for the option.
After running Add to search or New search the matching segment is marked with yellow highlighting in the events returned by the drilldown search. This does not happen when you run "Exclude from search" because the events returned by that secondary search do not contain the matching segment.

6. (Optional) After running the drilldown search, click on a marked segment in an event returned by that search.

Two search options appear for the segment: Remove from search and New search. These operate exactly the same as described in the table at the top of this topic.

Eventsecsrch segment2.png

7. (Optional) Click on an option to run the search.

You can run the search in the current tab or run it in a new tab, as described in Step 5.

Note: If you replace the results of your current search you can return to them by clicking the back button of your browser.

Run a drilldown search based on a field value

Splunk Enterprise extracts fields from events at index time and search time. See "About fields" in the Knowledge Manager Manual.

1. In the Search & Reporting app, run a search or report that returns an event listing in the Events tab.

If your search includes transforming commands, set the Search Mode to Verbose.

2. Locate an event with a field value that you want to use in a drilldown search.

If your event display is set to List or Table the only field values you can click on without opening the event are for selected fields. If your event display is set to Raw you will not see any field values until you open the event.

3. (Optional) Open the event by clicking on the show/hide icon in the i column on the left side of the event display.

When the event is opened you see a complete list of fields that Splunk Enterprise extracted from the event.

4. Click on the field value.

A set of secondary search options appears. The options are Add to search, Exclude from search, and New search. See the table at the top of this topic for explanations of these options.

Eventsecsrch fieldvalue.png

If the value is among the top ten values found for its field, the Add to search and Exclude from search options display the number of events that they can return.

5. Click a drilldown search option.

Run the secondary search in the current tab and replace your current search, or run the secondary search in a new tab and leave your current search results intact. To run the search in the current tab, click the option text. To run the search in a new tab, click the Open In New Tab icon Secsrch run in sep tab icon.png for the option.

Note: If you replace the results of your current search you can return to them by clicking the back button of your browser.

Run a drilldown search based on a tag

Tags are associated with field/value pairs. A tag can be associated with multiple field/value pairs. A field/value pair can be associated with multiple tags. See "About tags and aliases" in the Knowledge Manager Manual.

1. In the Search & Reporting app, run a search or report that returns an event listing in the Events tab.

If your search includes transforming commands, set the Search Mode to Verbose.
When the event display is set to List and an event is closed, tags appear next to selected fields.

2. (Optional) If the tag you want to run a drilldown search for is not associated with one of its selected fields, open the event by clicking on its show/hide icon in the i column the left side of the event listing.

When you open an event, tags appear next to field values within parentheses.

3. Click on the tag.

A set of secondary search options appears. The options are Add to search, Exclude from search, and New search. See the table at the top of this topic for explanations of these options.

Eventsecsrch tag.png

4. Click a drilldown search option.

Run the secondary search in the current tab and replace your current search, or run the secondary search in a new tab and leave your current search results intact. To run the search in the current tab, click the option text. To run the search in a new tab, click the Open In New Tab icon Secsrch run in sep tab icon.png for the option.

Note: If you replace the results of your current search you can return to them by clicking the back button of your browser.

Drilldown searches for event timestamps

Click on an event timestamp to run a secondary search that can retrieve other events that are chronologically close to that event. This can help you find event correlations and perform root cause analysis.

When you open an event you can also click on the _time field to run this kind of drilldown search.

The controls for this search are called a _time accelerator. See "Use time to find nearby events" in this manual for details on how the _time accelerator is used.

PREVIOUS
Use the timeline to investigate events
  NEXT
Identify event patterns with the Patterns tab

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters