About the Search views
In the previous chapter, you learned about the types of data Splunk Enterprise works with, downloaded the tutorial sample data, and added the data into your Splunk index. This section describes how to use the views and elements that make up Splunk Search.
Find Splunk Search
1. From Splunk Home, click Search & Reporting under Apps.
This opens the Search summary view in the Search & Reporting app.
The Search summary view
Before you run a search, the Search summary view displays the following elements: the App bar, the Search bar, the Time range picker, the How to search panel, the What to search panel, and the Search History panel.
|App bar||Use the App bar to navigate between the different views in the Search & Reporting app: Search, Pivot, Reports, Alerts, and Dashboards.|
|Search bar||Use the search bar to run your searches in Splunk Web. Type in your search string and hit enter or click the spyglass icon to the right of the time range picker.|
|Time range picker||Use the time range picker to retrieve events over a specific time period. For real-time searches you can specify a window over which to retrieve events. For historical searches, you can restrict your search by specifying a relative time range (15 minutes ago, Yesterday, and so on) or a specific date and time range. The time range picker has many preset time ranges that you can select from, but you can also enter a custom time range.
For more information, see "About the time range picker."
|How to search||The "How to search" panel links you to the Search Tutorial and Search Manual to learn about how to write searches.|
|What to search||The "What to search" panel displays a summary of the data that is installed on this Splunk instance and that you are authorized to view. Click Data Summary to open the Data Summary dialog box to see the hosts, sources, and source types in your data.|
|Search history||Lets you view and interact with your history of searches. The search history presents an expandable table of your past searches, which you can search and filter with keywords or time. The search history appears after you run your first search.
For more information, see "View and interact with your Search History".
The Data Summary dialog box shows three tabs: Hosts, Sources, Sourcetypes. These tabs represent searchable fields in your data.
The host of an event is the host name, IP address, or fully qualified domain name of the network machine from which the event originated. In a distributed environment, you can use the host field to search data from specific machines.
The source of an event is the file or directory path, network port, or script from which the event originated.
The source type of an event tells you what kind of data it is, usually based on how it is formatted. This classification lets you search for the same type of data across multiple sources and hosts.
The source types for the tutorial data are:
- access_combined_wcookie: Apache web server logs
- secure: Secure server logs
- vendor_sales: Global sales vendors
For information about how Splunk Enterprise source types your data, see "Why source types matter" in the Getting Data In manual.
The New Search view
The New Search view opens after you run a search. The App bar, Search bar, and Time range picker are still available in this view. Additionally, the view contains many more elements: search action buttons and search mode menu; counts of events; job status bar; and tabs for Events, Patterns, Statistics, and Visualizations.
Type "buttercupgames" in the Search bar and press Enter to search for the keyword "buttercupgames" in your events.
The next topics discuss each of these parts of the New Search view.
Continue reading to learn about restricting searches to a time range.
Get the tutorial data into Splunk Enterprise
About the time range picker
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14