Splunk® Enterprise

Search Tutorial

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

About the Search Tutorial

The Search & Reporting application (Search app) is the primary interface for using the Splunk software to run searches, save reports, and create dashboards. This Search Tutorial is for users who are new to the Splunk platform and the Search app.

Use this tutorial to learn how to use the Search app. Differences between Splunk Enterprise and Splunk Cloud are specified throughout this tutorial.

Already have access to Splunk software?

For this tutorial, use a free Trial version of the Splunk software.

Why? Because this tutorial uses a specific set of data to ensure consistency in your search results and the features that you are learning about. In the tutorial, you will upload this tutorial-specific data to the Splunk platform. You might not have permission to upload data in your production, work environment. Additionally, using a free Trial version of the software ensures that the tutorial data is not mixed in with your work data.

The Trial version of the software converts to a Free version after 30 days. If you have a Free version of the Splunk software, some of the features, such as changing Preferences in the User account menu, are not available. See About Splunk Free in the Admin manual.

The steps for downloading a free Trial version of Splunk Enterprise or Splunk Cloud are described in the tutorial.

What's in this tutorial?

You will learn how to use the Search app to add data to your Splunk deployment, search the data, save the searches as reports, and create dashboards. If you are new to the Search app, this tutorial is the place to start.

How to use this tutorial

Each Part in the Search Tutorial builds on the previous Part. For example, the searches that you create in Part 5 are used to create reports and charts in Part 7. It is important that you don't skip any Part.

Using the PDF version of the tutorial

You can copy and paste search strings or regular expressions directly into the Search & Reporting App from this online tutorial in your web browser.

Do not copy and paste search strings or regular expressions directly from the electronic PDF into the Search app. Pasting data from the PDF can cause errors in searches, because of hidden characters that are included in the PDF formatting.

See also sections

At the end of most of the topics in this tutorial is a section called See also. These sections contain links to Splunk documentation that is related to the information discussed in that topic.

Additional resources

See Additional resources at the end of this tutorial for information about:

  • The Splunk community
  • Links to Quick Reference information
  • Links to the Splunk documentation
  • How to provide feedback
What you need for this tutorial

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1, 8.0.2


Hi, JB. Please email elearn@splunk.com for assistance with the Fundamentals Part 1 elearning. That team can help you find the training materials that you're looking for.

Andrewb splunk, Splunker
March 18, 2019

Hello Splunk Supports,
I got the splunk enterprise version setup locally and get ready for the https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html
Where can I download the eLearning lessons?
Please let me know and greatly appreciated your response!

March 17, 2019

Hello Enyuan
It depends on the platform that you choose. For Splunk Cloud, you have access to Splunk Cloud for 15 days. After 15 days, the access your Splunk Cloud trial expires. For Splunk Enterprise, you get a Splunk Enterprise trial license for 30 days. After 30 days, the Enterprise trial license converts to a perpetual free license and some of the features, such as authentication and alerting, are disabled. The free license also includes the 500MB daily indexing volume, but there is no expiration date.

Lstewart splunk, Splunker
April 30, 2018

Hi Splunk support,
Does this Splunk Tutorial support Splunk Free ?
Kind regards

April 29, 2018

Hi Team,
I am searching for a detailed document on adding pop-up to splunk application. But there is no such document available online or in any of the splunk documents. Please help and send a document link if there is any, so i can refer it.
Thank You

February 21, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters