Splunk® Enterprise

Search Tutorial

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

About the search results tabs

This topic discusses the four search results tabs: Events, Patterns, Statistics, and Visualizations.

6.2tutorial resultstabs.png


When you run a search, the results tabs populate depending on the the type of search commands used in the search. If your search retrieves events, you can view the results in the Events tab and the Patterns tab, but not in the other tabs. If your search includes transforming commands, you can view the results in the Statistics and Visualization tabs.

Events

The keyword search used in this screenshot retrieves events and populates the Events results tab.

6.2tutorial eventstab.png


The Events tab displays the timeline of events, the fields sidebar, and the events viewer. To change the event view, use the List and Format options. By default, the events appear as a list that is ordered starting with the most recent event. In each event, the matching search terms are highlighted.

Timeline of events: A visual representation of the number of events that occur at each point in time. As the timeline updates with your search results, you might notice clusters or patterns of bars. The height of each bar indicates the count of events. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. Thus, the timeline highlights patterns of events or investigates peaks and lows in event activity. The timeline options are located above the timeline. You can zoom in, zoom out, and change the scale of the chart.

Fields sidebar: When you index data, Splunk Enterprise by default extracts information from your data that is formatted as name and value pairs, called fields. When you run a search, Splunk Enterprise lists all of the fields it discovers in the fields sidebar next to your search results. You can select other fields to show in your events. Also, you can hide this sidebar and maximize the results area.

  • Selected fields are set to be visible in your search results. By default, host, source, and sourcetype appear.
  • Interesting fields are other fields that Splunk Enterprise has extracted from your search results.

Patterns

The Patterns tab simplifies event pattern detection. It displays a list of the most common patterns among the set of events returned by your search. Each of these patterns represents a number of events that all share a similar structure.

You can click on a pattern to:

  • View the approximate number of events in your results that fit the pattern.
  • See the search that returns events with this pattern.
  • Save the pattern search as an event type, if it qualifies.
  • Create an alert based on the pattern.

See "Identify event patterns with the Patterns tab" in the Search Manual.

Statistics

The Statistics tab populates when you run a search with transforming commands such as stats, top, chart, and so on. The previous keyword search for "buttercupgames" does not display any results in this tab because it does not have any transforming commands.

Instead, the tab displays options for creating reports in Pivot, Quick Reports, and links you to documentation about transforming Search Commands.

62 tutorial statisticstab notransforming.png


If you run a non-transforming search and want to make tables or charts based on it, click Pivot to open the search in the Pivot editor. See "Open a non-transforming search in Pivot to create tables and charts" in the Search Manual. To learn more about Pivot, see the Data Model and Pivot Tutorial and the Pivot Manual.


With a transforming search, such as one to find the popular categories of items sold on the Buttercup Games online store, the Statistics tab displays a table of results.

6.2tutorial statisticstab t.png

Visualizations

Transforming searches also populate the Visualization tab. The results area of the Visualizations tab includes a chart and the statistics table used to generate the chart.

6.2tutorial visualizationtab.png


You can change the type and Format of the visualization using the menus above the visualization chart area. The visualization type menu displays the name of the selected type. By default, the visualization type is the Column chart.

6.2tutorial visualizationtab types.png


When Recommended appears next to a chart type, it indicates the types that Splunk Enterprise suggests based on the transforming search that produced the results.

Next steps

This section explained different views in the Search & Reporting app that you need to know before you start searching.

Last modified on 01 February, 2016
PREVIOUS
About search actions and modes 		  NEXT
Start searching

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters