Use the search language
The searches you have run to this point have retrieved events from your Splunk index. You were limited to asking questions that could only be answered by the number of events returned.
For example, you ran the following search to determine how many simulation games were purchased:
sourcetype=access_* status=200 action=purchase categoryId=simulation
To find this number for the days of the previous week, you need to run it against the data for each day of that week. To see which products are more popular than the other, run the search for each of the eight
categoryId values and compare the results.
Learn with the Search Assistant
In the Basic searches and search results topic, you were introduced to the Search Assistant. This section explains in more detail one of the ways you can use the Search Assistant to learn about the Splunk search processing language (SPL) and to construct searches.
1. Start a new search and restrict your search to Yesterday.
source in the Search bar.
- As you type in the Search bar, the Search Assistant opens with a list of Matching Searches and Matching Terms. It also explains briefly how to search.
- The Search Assistant tries to anticipate the keywords that you might use as you type in the Search bar. It also explains briefly how to search.
- If the Search Assistant does not open, click the down arrow under the left side of the Search bar.
3. Select the following search from the Matching Searches, or type the search into the Search bar.
sourcetype=access_* status=200 action=purchase
4. Type a pipe character ( | ) into the Search bar.
- The pipe character indicates that you are about to use a command. The results of the search to the left of the pipe are used as the input to the command to the right of the pipe. You can pass the results of one command into another command in a series, or pipeline, of search commands.
- Notice that the Search Assistant shows a list of Common Next Commands.
- You want the search to return the most popular items bought at the Buttercup Games online store.
5. Under Common Next Commands, click top.
topcommand is appended to your search string.
categoryId into the Search bar.
- The following search is the complete search string.
sourcetype=access_* status=200 action=purchase | top categoryId
- The search criteria before the pipe character locates events from the access control log files, that were successful (HTTP status is 200), and that were a purchase of a product.
- The search criteria after the pipe character takes the events located, and returns the
categoryIdfield for the most common values.
7. Run the search.
- The results of the
topcommand appear in the Statistics tab.
View results in the Statistics tab
top command is a transforming command. Transforming commands order the search results into a data table. You use transforming commands to generate results that you can use to create visualizations such as column, bar, line, area, and pie charts. We will talk more about visualizations later in this tutorial.
Because transforming commands return your search results in a table format, the results appear on the Statistics tab.
In this search for successful purchases, seven different category IDs were found. The list shows the category ID values from highest to lowest, based on the frequency of the category ID values in the events.
Many of the transforming commands return additional fields that contain useful statistical information. The
top command returns two new fields,
countfield specifies the number of times each value of the
categoryIdfield occurs in the search results.
percentfield specifies how large the count is compared to the total count.
View and format results in the Visualization tab
You can also view the results of transforming searches in the Visualizations tab, where you can format the chart type.
1. Click the Visualization tab.
- By default, the Visualization tab opens with a Column chart.
2. Click Column Chart to open the visualization type selector.
- Column, Bar, and Pie charts are the recommended type for this data set.
3. Select Pie.
- Now, your visualization looks like the following pie chart:
4. Next to the visualization drop-down list, click Format. On the General tab next to Drilldown, click Yes. Then close the dialog box.
The Drilldrown setting lets you delve into the details of the information in the tables and charts on the Visualizations tab.
- a. Mouse over each slice of the pie to see the count and percentage values for each categoryId.
- b. Click on a slice, such as STRATEGY.
- Because Drilldown is enabled, the criteria
categoryId=STRATEGYis appended to your search string. The search runs again.
Learn about correlating events with subsearches.
Use fields to search
Use a subsearch
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11