Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use the search language

The searches you have run to this point have retrieved events from your Splunk index. You were limited to asking questions that could only be answered by the number of events returned.

For example, you ran the following search to determine how many simulation games were purchased:

sourcetype=access_* status=200 action=purchase categoryId=simulation

To find this number for the days of the previous week, you need to run it against the data for each day of that week. To see which products are more popular than the other, run the search for each of the eight categoryId values and compare the results.

Learn with the Search Assistant

In the Basic searches and search results topic, you were introduced to the Search Assistant. This section explains in more detail one of the ways you can use the Search Assistant to learn about the Splunk search processing language (SPL) and to construct searches.

1. Start a new search and restrict your search to Yesterday.

2. Type source in the Search bar.

As you type in the Search bar, the Search Assistant opens with a list of Matching Searches and Matching Terms. It also explains briefly how to search.
This screen image shows the Search Assistant. The Matching  Searches section lists all of the searches that you have run which begin with "source". The Matching Terms section lists the fields that begin with "source". The list includes the source and sourcetype fields. The values for the fields are also displayed.
The Search Assistant tries to anticipate the keywords that you might use as you type in the Search bar. It also explains briefly how to search.
If the Search Assistant does not open, click the down arrow under the left side of the Search bar.

3. Select the following search from the Matching Searches, or type the search into the Search bar.

sourcetype=access_* status=200 action=purchase

4. Type a pipe character ( | ) into the Search bar.

The pipe character indicates that you are about to use a command. The results of the search to the left of the pipe are used as the input to the command to the right of the pipe. You can pass the results of one command into another command in a series, or pipeline, of search commands.
Notice that the Search Assistant shows a list of Common Next Commands.

This screen image shows the list of Common Next Commands. The list includes commands like chart, timechart, stats, dedup, and regex.

You want the search to return the most popular items bought at the Buttercup Games online store.

5. Under Common Next Commands, click top.

The top command is appended to your search string.
This screen image shows the change in the Search Assistant when you select the "top" command. The right side of the Search Assistant provides a description of the command and some examples.

6. Type categoryId into the Search bar.

The following search is the complete search string.

sourcetype=access_* status=200 action=purchase | top categoryId

  • The search criteria before the pipe character locates events from the access control log files, that were successful (HTTP status is 200), and that were a purchase of a product.
  • The search criteria after the pipe character takes the events located, and returns the categoryId field for the most common values.


7. Run the search.

The results of the top command appear in the Statistics tab.

View results in the Statistics tab

The top command is a transforming command. Transforming commands order the search results into a data table. You use transforming commands to generate results that you can use to create visualizations such as column, bar, line, area, and pie charts. We will talk more about visualizations later in this tutorial.

Because transforming commands return your search results in a table format, the results appear on the Statistics tab.

This screen image shows the results of the search. The Statistic tab shows 3 columns: columnId, count, and percent.

In this search for successful purchases, seven different category IDs were found. The list shows the category ID values from highest to lowest, based on the frequency of the category ID values in the events.

Many of the transforming commands return additional fields that contain useful statistical information. The top command returns two new fields, count and percent.

  • The count field specifies the number of times each value of the categoryId field occurs in the search results.
  • The percent field specifies how large the count is compared to the total count.

View and format results in the Visualization tab

You can also view the results of transforming searches in the Visualizations tab, where you can format the chart type.

1. Click the Visualization tab.

By default, the Visualization tab opens with a Column chart.

2. Click Column Chart to open the visualization type selector.

This screen image shows the drop-down where you can select which type of visualization you want to display.
Column, Bar, and Pie charts are the recommended type for this data set.

3. Select Pie.

Now, your visualization looks like the following pie chart:
This screen image shows the visualization changed to a pie chart.

4. Next to the visualization drop-down list, click Format. On the General tab next to Drilldown, click Yes. Then close the dialog box.

The Drilldrown setting lets you delve into the details of the information in the tables and charts on the Visualizations tab.

a. Mouse over each slice of the pie to see the count and percentage values for each categoryId.
This screen image shows the largest slice of the pie selected, the STRATEGY category ID.
b. Click on a slice, such as STRATEGY.
Because Drilldown is enabled, the criteria categoryId=STRATEGY is appended to your search string. The search runs again.
This screen image shows the search results when categoryId=STRATEGY is appended to the search string.

Next step

Learn about correlating events with subsearches.

See also

The top command in the Search Reference
Drilldown behavior in the Dashboards and Visualizations

PREVIOUS
Use fields to search
  NEXT
Use a subsearch

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters