Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Splunk Search views

This topic describes the views and elements that comprise Splunk Search.

Open Splunk Search

1. From Splunk Home, click Search & Reporting in the Apps panel.

6.2tutorial apps sr.png

This opens the Search Summary view.

The Search summary view

Before you run a search, the Search summary view displays the following elements: App bar, Search bar, Time range picker, How to Search panel, and What to Search panel.

6.2tutorial search default.png

The elements that are specific to the Search summary view are the How to Search and What to Search panels. These elements are described below. The other elements are described in the section "The New Search view."

Element Description
How to Search The "How to Search" panel links you to the Search Tutorial and Search Manual to learn about how to write searches.
What to Search The "What to Search" panel displays a summary of the data that is installed on this Splunk instance and that you are authorized to view. Click Data Summary to open the Data Summary dialog box to see the hosts, sources, and source types in your data.

Data summary

You open the Data Summary dialog box from the What to Search panel. This dialog box shows three tabs: Hosts, Sources, Sourcetypes. These tabs represent searchable fields in your data.

Host

The host of an event is the host name, IP address, or fully qualified domain name of the network machine from which the event originated. In a distributed environment, you can use the host field to search data from specific machines.

6.2 datasummary hosts.png

Source

The source of an event is the file or directory path, network port, or script from which the event originated.

6.2 datasummary sources.png

Source type

The source type of an event tells you what kind of data it is, usually based on how it is formatted. This classification lets you search for the same type of data across multiple sources and hosts.

6.2 datasummary sourcetypes.png

In this example, source types are:

  • access_combined_wcookie: Apache web server logs
  • secure: Secure server logs
  • vendor_sales: Global sales vendors


For information about how Splunk Enterprise source types your data, see "Why source types matter" in Getting Data In manual.

The New Search view

The New Search view opens after you run a search. The App bar, Search bar, and Time range picker are still available in this view. Additionally, this view contains many more elements: search action buttons and search mode selector; counts of events; job status bar; and tabs for Events, Patterns, Statistics, and Visualizations.

You can type index=_internal in the Search bar and press Enter to look at the events from the internal log files on your Splunk instance.

If you followed the steps to get data into Splunk in the Search Tutorial, you can type buttercupgames in the Search bar and press Enter to search for the "buttercupgames" keyword in your events.

6.2tutorial startsearching2.png

In this view, the App bar, Search bar and Time range picker are also available. The New Search view contains many more elements such as search action buttons, a search mode selector, counts of events, a job status bar, and results tabs for Events, Patterns, Statistics, and Visualizations.

App bar

Use the App bar to navigate between the different views in the Search & Reporting app: Search, Pivot, Reports, Alerts, and Dashboards. There are entire manuals devoted to these other capabilities.

Search bar

Use the search bar to run your searches in Splunk Web. Type in your search string and press Enter or click the spyglass icon to the right of the time range picker.

Time range picker

Time is the single most important search parameter that you specify.

Use the time range picker to retrieve events over a specific time period. For real-time searches you can specify a window over which to retrieve events. For historical searches, you can restrict your search by specifying a relative time range (15 minutes ago, Yesterday, and so on) or a specific date and time range. The time range picker has many preset time ranges that you can select from, but you can also enter a custom time range.

For more information, see "About searching with time."

Search actions

There are a wide range of search actions you can perform, including working with your search Jobs, saving, sharing, exporting, and printing your search results.

For more information, see:

Search mode

You can use the search mode selector to provide a search experience that fits your needs. The modes are Smart (default), Fast, and Verbose.

For more information, see "Search modes".

Search history

Lets you view and interact with your history of searches. The search history presents an expandable table of your past searches, which you can search and filter with keywords or time. The search history appears after you run your first search.

PREVIOUS
Search with Splunk Web, CLI, or REST API
  NEXT
Anatomy of a search

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters