Splunk® Enterprise

Search Tutorial

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Start searching

This topic discusses searches that retrieve events from the index. Before you can run these searches, download and add the tutorial data.


What to search

1. Click Search in the App navigation bar.

2. In the Search landing page, look at the What to search panel.

6.3 tutorial startsearching1.png


3. Click Data Summary.

Review the tutorial data, which represents a fictitious online game store, called Buttercup Games. The data summary tells you where the data comes from and what type of data it is. There are five hosts, eight sources, and three source types. The three source types are Apache web access logs (access_combined_wcookie), Linux secure formatted logs (secure), and the vendor sales log (vendor_sales).

Most of this tutorial covers searching the Apache web access logs and correlating it with the vendor sales logs.

Search assistant

You have data for an online store that sells a variety of games. Try to find out how many errors have occurred on the site.

1. Open Splunk Search, and type buttercupgames into the search bar.

As you type, the Search Assistant opens. There are two parts to search assistant: the matching search history and search help.

Search assistant suggests completions for your search based on terms it matches in your event data. These search completions are listed under Matching terms or Matching searches. It does not list terms or phrases that do not exist in your event data.

6.3 tutorial searchassistant1.png


Here, search assistant provides Steps to help you learn How to Search. Step 1 explains searches to retrieve events with examples for searching with terms, quoted phrases, Boolean operators, wildcards, and field values. Step 2 introduces how to use search commands.

Search assistant has more uses after you start learning the search language. When you type in search commands, search assistant displays the command syntax and usage.

If you do not want search assistant to open automatically, click Auto Open to toggle it off. You can click the down arrow below the search bar to open it back up again.

Retrieve events from the index

1. Type in keywords to find errors or failures and use Boolean operators: AND, OR, NOT.

buttercupgames (error OR fail* OR severe)

Capitalize Boolean operators. The AND directive is implied between terms, so you do not need to write it. You can use parentheses to group terms. When evaluating Boolean expressions, precedence is given to terms inside parentheses. OR clauses are evaluated before AND or NOT clauses.

Use the asterisk wildcard to match terms that start with "fail". These terms can include: failure, failed, and so on.

6.3 tutorial startsearching2.png

This search retrieves 427 matching events.

The search command

Each time you type keywords and phrases, you implicitly use the search command to retrieve events from a Splunk index. The search command lets you use keywords, quoted phrases, field values, Boolean expressions, and comparison expressions to specify which events you want to retrieve.

You can invoke the search command later in the pipeline to filter search results. See "Use the search command to retrieve events" in the Search Manual.

Next steps

See "Use fields to search" to learn how to search with fields.

Last modified on 01 February, 2016
PREVIOUS
About the search results tabs 		  NEXT
Use fields to search

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters