This topic discusses searches that retrieve events from the index. Before you can run these searches, download and add the tutorial data.
What to search
1. Click Search in the App navigation bar.
2. In the Search landing page, look at the What to search panel.
3. Click Data Summary.
Review the tutorial data, which represents a fictitious online game store, called Buttercup Games. The data summary tells you where the data comes from and what type of data it is. There are five hosts, eight sources, and three source types. The three source types are Apache web access logs (access_combined_wcookie), Linux secure formatted logs (secure), and the vendor sales log (vendor_sales).
Most of this tutorial covers searching the Apache web access logs and correlating it with the vendor sales logs.
You have data for an online store that sells a variety of games. Try to find out how many errors have occurred on the site.
1. Open Splunk Search, and type buttercupgames into the search bar.
As you type, the Search Assistant opens. There are two parts to search assistant: the matching search history and search help.
Search assistant suggests completions for your search based on terms it matches in your event data. These search completions are listed under Matching terms or Matching searches. It does not list terms or phrases that do not exist in your event data. Search assistant also displays the number of matches for the search term. This number gives you an idea of how many search results Splunk will return. Here, buttercupgames appears in 36,819 events.
Here, search assistant provides Steps to help you learn How to Search. Step 1 explains searches to retrieve events with examples for searching with terms, quoted phrases, Boolean operators, wildcards, and field values. Step 2 introduces how to use search commands.
Search assistant has more uses after you start learning the search language. When you type in search commands, search assistant displays the command syntax and usage.
If you do not want search assistant to open automatically, click Auto Open to toggle it off. You can click the down arrow below the search bar to open it back up again.
Retrieve events from the index
1. Type in keywords to find errors or failures and use Boolean operators: AND, OR, NOT.
buttercupgames (error OR fail* OR severe)
Capitalize Boolean operators. The AND directive is implied between terms, so you do not need to write it. You can use parentheses to group terms. When evaluating Boolean expressions, precedence is given to terms inside parentheses. OR clauses are evaluated before AND or NOT clauses.
Use the asterisk wildcard to match terms that start with "fail". These terms can include: failure, failed, and so on.
This search retrieves 427 matching events.
The search command
Each time you type keywords and phrases, you implicitly use the
search command to retrieve events from a Splunk index. The search command lets you use keywords, quoted phrases, field values, Boolean expressions, and comparison expressions to specify which events you want to retrieve.
You can invoke the
search command later in the pipeline to filter search results. See "Use the search command to retrieve events" in the Search Manual.
See "Use fields to search" to learn how to search with fields.
About the search results tabs
Use fields to search
This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15