Splunk® Enterprise

Search Tutorial

Splunk Enterprise versions higher than version 9.4.2 are documented on our new documentation portal only. To get started, see the Splunk Enterprise page on help.splunk.com and the Splunk Enterprise 9.4.3 release notes. For information about how version selection works in the new portal, see Version selection on the About This Site page.

Upload the tutorial data

This tutorial uses a set of data that is designed to show you the features in the product. Using the tutorial data ensures that your search results are consistent with the steps in the tutorial.

Prerequisites

  • You must have the tutorial data files on your computer.
  • The tutorialdata.zip file must remain compressed to upload the file successfully. Some browsers automatically uncompress ZIP files. See Download the tutorial data files for more information.
  • It is helpful to understand the type of data you that are uploading with this tutorial. See What is in the tutorial data?.


Use the Add Data wizard

  1. If there is a Welcome window displayed, close that window.
  2. Click Settings > Add Data.
    This screen image shows the Add Data icon in the Settings window.

  3. At the bottom of the window, click Upload. There are other options for adding data, but for this tutorial you will upload the data files.
    This screen image shows the Upload icon on the screen. The Upload icon is in the section "Or get data in with the following methods".

  4. Under Select Source, click Select File.
    This screen image shows the first step in adding data, Select Source. The Select File button is highlighted. Browse to where you downloaded the tutorialdata.zip file.

  5. In your download directory, select the tutorialdata.zip file and click Open.

    Because you specified a compressed file, the Splunk software recognizes that type of data source. The Set Source Type step in the Add Data wizard is skipped. When you load data that is not in a compressed file, you will be asked to set the data source type.

  6. Click Next to continue to Input Settings.

  7. Under Input Settings, you can override the default settings for Host, Source type, and Index.
    Because this tutorial uses a ZIP file, you are going to modify the Host setting to assign the host values by using a portion of the path name for the files included in the ZIP file.
    a. Select Segment in path.
    b. Type 1 for the segment number.
    This screen image shows the next step in adding data, Input Settings The Segment in path option is highlighted.
  8. Click Review. The following screen appears where you can review your input settings.
    This screen image shows the next step in adding data, Review. The name of the file that you are uploading and the host setting are displayed.

  9. Click Submit to add the data.
    This screen image shows the last step in adding data. The screen shows the file was uploaded successfully. The screen shows the options for what you can do next.

  10.  To see the data in the Search app, click Start Searching.
    You might see a screen asking if you want to take a tour. You can take the tour or click Skip.
    The Search app opens and a search is automatically run on the tutorial data source.
    This screen image shows that a simple search was run to find all of the tutorial data. The data now appears as events in the bottom half of the window.

    Success! The results confirm that the data in the tutorialdata.zip file was indexed and that events were created.
  11.  Click the Splunk logo to return to Splunk Home.

Next step

You have completed Part 2 of the Search Tutorial.

Now you know how to add data to your Splunk platform. Next, you will begin to learn how to search that data. Continue to Part 3: Using the Splunk Search App.

Last modified on 16 August, 2024
What is in the tutorial data?   Exploring the Search views

This documentation applies to the following versions of Splunk® Enterprise: 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters