Basic searches and search results
In this section you create searches that retrieve events from the index.
The data for this tutorial is for the Buttercup Games online store. The store sells games and other related items, such as t-shirts. In this tutorial, you primarily search the Apache web access logs and correlate the access logs with the vendor sales logs.
Complete the steps, Upload the tutorial data, in Part 2.
Using the Search Assistant
The Search Assistant is a feature in the Search app that appears as you type your search criteria. The Search Assistant is like autocomplete, but so much more.
1. Click Search in the App bar to start a new search.
buttercup in the Search bar.
- As you type, the Search Assistant opens. There are two parts to Search Assistant, the matching search history section on the left and the search help section on the right.
- The Search Assistant provides suggestions to complete your search, based on terms that the Search Assistant matches in your event data. The Search Assistant does not return terms or phrases that do not exist in your event data.
- Matching Searches
- This list appears if you have used the term in a previous search and is from your search history. Your search history is retained when you logout. The Matching Searches list is useful when you want to run the same search from yesterday, or a week ago.
- Matching Terms
- This list appears with the number of matches for the search term in the events in the index. The Matching Terms list is useful to determine if a term is in your data.
- How To Search
- The Search Assistant provides steps to help you search.
- Step 1 provides some simple search examples to retrieve events. These examples show how to use terms, quoted phrases, Boolean operators, wildcards, and field values.
- Step 2 describes how to use search commands.
The Search Assistant is more useful after you start learning the search language. When you type search commands, the Search Assistant displays the command syntax and usage.
The Search Assistant opens automatically. When a check mark appears next to Auto Open, the Search Assistant is on. You can turn off the Search Assistant by selecting Auto Open. The check mark next to Auto Open disappears.
For this tutorial, you will want the Search Assistant turned on.
Retrieve events from the index
Let's try to find out how many errors have occurred on the Buttercup Games website.
To retrieve events that mention errors or failures, you type the keywords in your search criteria. If you use multiple keywords, you need to specify Boolean operators such as AND, OR, and NOT.
The AND operator is implied when you type in multiple keywords. For example, typing
buttercupgames error is the same as typing
buttercupgames AND error.
1. Start a new search.
2. To search for the terms error, fail, failure, failed, or severe, in the events that also mention buttercupgames, run the following search.
buttercupgames (error OR fail* OR severe)
- Tip: Instead of typing the search string, you can copy and paste the search from this tutorial directly into the Search bar. Click the spyglass icon to the right of the time range picker to run the search.
Notice that you must capitalize Boolean operators. The asterisk ( * ) character is used as a wildcard character to match
failing and so forth.
When evaluating Boolean expressions, precedence is given to terms inside parentheses. NOT clauses are evaluated before OR clauses. AND clauses have the lowest precedence.
This search retrieves 427 matching events.
Understanding search results
Below the Search bar are four tabs: Events, Patterns, Statistics, Visualizations.
The tab that shows the search results depends on the type of search commands you used. In the early parts of this tutorial, you will work primarily with the Events tab. Later in this tutorial, you will learn about the other tabs.
The Events tab displays the Timeline of events, the Fields sidebar, and the Events viewer.
By default, the events appear as a list that is ordered starting with the most recent event. In each event, the matching search terms are highlighted. The List option displays the event information in three columns.
|i||Use the event information column to expand or collapse the display of the event information. By default the display is collapsed. Click the greater than ( > ) symbol to expand the display.|
|Time||The timestamp for the event. When events are indexed, the timestamp in the event is extracted. If the event does not contain a timestamp, the indexing process adds a timestamp that is the date and time the event was indexed.|
|Event||The raw event data. The Selected fields from the Fields sidebar appear at the bottom of each event.|
Change the display of the Events viewer
1. Select the List option and click Table.
- The display changes to show the event information column, the timestamp column, and columns for each of the Selected fields. You will learn more about the Selected fields later in the tutorial.
2. Change the display back to List.
Timeline of events
The Timeline of events is a visual representation of the number of events that occur at each point in time. As the timeline updates with your search results, there are clusters or patterns of bars. The height of each bar indicates the count of events. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. The timeline highlights patterns of events or investigates peaks and lows in event activity. The timeline options are located above the timeline. You can zoom in, zoom out, and change the scale of the chart.
When you index data, the Splunk software extracts information from your data that is formatted as name and value pairs, called fields. When you run a search, the fields that are discovered are listed in the Fields sidebar next to your search results. You can select other fields to show in your events. Also, you can hide this sidebar and maximize the results area.
- Selected fields are set to be visible in your search results. By default, host, source, and sourcetype appear.
- Interesting fields are other fields that have been extracted from your search results.
Patterns, Statistics, and Visualizations
The Patterns tab simplifies event pattern detection. It displays a list of the most common patterns among the set of events returned by your search. Each of these patterns represents a number of events that all share a similar structure.
The Statistics tab populates when you run a search with transforming commands such as
chart, and so on. The keyword search for "buttercupgames" does not show results in this tab because the search does not include any transforming commands.
Transforming searches also populate the Visualization tab. The results area of the Visualizations tab includes a chart and the statistics table that is used to generate the chart.
You will learn about transforming commands, and use the Statistics and Visualizations tabs, later in the tutorial.
Learn to use fields to search your data.
Specifying time ranges
Use fields to search
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11