Splunk® Enterprise

Search Tutorial

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Use the search language

The searches that you have run to this point have retrieved events from your Splunk index. You were limited to asking questions that could only be answered by the number of events returned.

For example, you ran the following search to determine how many simulation games were purchased:

sourcetype=access_* status=200 action=purchase categoryId=simulation

To find this number for the days of the previous week, you need to run it against the data for each day of that week. To see which products are more popular than the other, run the search for each of the eight categoryId values and compare the results.

Splunk developed the Search Processing Language (SPL) to use with Splunk software. SPL encompasses all the search commands and their functions, arguments, and clauses. One way to learn the SPL language is by using the Search Assistant.

Learn with the Search Assistant

There are two modes for the Search Assistant: Compact and Full. The default mode is Compact, which you were introduced to in the Basic searches and search results topic in this tutorial.

This section shows you how to change the Search Assistant mode. You will use the Search Assistant to learn about the SPL and to construct searches. If you have a Splunk Free license, you will not be able to change the Search Assistant mode. See Choose a platform to learn about difference between the Splunk Trial and Splunk Free licenses.

Splunk platform Step Example
Splunk Enterprise
  1. Select Administrator > Preferences.
  2. Click SPL Editor.
  3. On the General tab next to Search assistant, click Full.
    The default setting is Compact. You can tell which mode is set by the dark gray background on the mode. The Full mode provides more information as you type commands in the Search bar.
  4. Click Apply.

This image shows the Account menu in Splunk Enterprise. The choices on the menu are Account Settings, Preferences, and Logout.

Splunk Cloud
  1. Select Your_Name > User Settings.
  2. Scroll down to the Search section and change the Search assistant to Full. The Full mode provides more information as you type commands in the Search bar.
  3. Click Save.

This image shows the Account menu in Splunk Cloud. The choices on the menu are "User settings" and "Profile".

Let's explore the benefits of the Full mode and creating searches using the SPL commands.

  1. Click Search in the App bar to start a new search.
  2. Change the time range to All time.
  3. Type the letter s in the Search bar.
    The Search Assistant shows a list of Matching Searches and Matching Terms. It also explains briefly How To Search. This screen image shows the Search Assistant in the Full mode. The Matching Searches section lists all of the searches that you have run which begin with "s". The Matching Terms section lists the terms in the tutorial data that begin with the letter "s" and the number of events that contain those terms.

  4. Select the following search from the Matching Searches list, or type the search into the Search bar.

    sourcetype=access_* status=200 action=purchase

  5. After action=purchase, type a pipe character ( | ) into the Search bar.
    The pipe character indicates that you are about to use a command. The results of the search to the left of the pipe are used as the input to the command to the right of the pipe. You can pass the results of one command into another command in a series, or pipeline, of search commands.

    Notice that the Search Assistant changes to show a list of Common Next Commands. This screen image shows the list of Common Next Commands. The list includes commands like chart, timechart, stats, dedup, and regex.

    You want the search to return the most popular items bought at the Buttercup Games online store.
  6. Under Common Next Commands, select top.
    The top command is appended to your search string. This screen image shows the change in the Search Assistant when you select the "top" command. The right side of the Search Assistant provides a description of the command and some examples.
  7. Type categoryId into the Search bar.
    The following search is the complete search string.

    sourcetype=access_* status=200 action=purchase | top categoryId

    • The search criteria before the pipe character, sourcetype=access_* status=200 action=purchase, locates events from the access control log files, that were successful (HTTP status is 200), and that were a purchase of a product.
    • The search criteria after the pipe character, top categoryId, takes the events located and returns the categoryId field for the most common values.
  8. Run the search.
    The results of the top command appear in the Statistics tab.

View results in the Statistics tab

The top command is a transforming command. Transforming commands organize the search results into a table. Use transforming commands to generate results that you can use to create visualizations such as column, line, area, and pie charts. You will learn more about visualizations later in this tutorial.

Because transforming commands return your search results in a table format, the results appear on the Statistics tab. This screen image shows the results of the search. The Statistic tab shows 3 columns: columnId, count, and percent.

In this search for successful purchases, seven different category IDs were found. The list shows the category ID values from highest to lowest, based on the frequency of the category ID values in the events.

Many of the transforming commands return additional fields that contain useful statistical information. The top command returns two new fields, count and percent.

  • The count field specifies the number of times each value of the categoryId field occurs in the search results.
  • The percent field specifies how large the count is compared to the total count.

View and format results on the Visualization tab

You can also view the results of transforming searches on the Visualization tab, where you can format the chart type.

  1. Click the Visualization tab.
    By default, the Visualization tab opens with a Column chart.
  2. Click Column Chart to open the visualization type selector. This screen image shows the drop-down where you can select which type of visualization you want to display.

    Column, Bar, and Pie charts are listed as the Recommended chart type for this data set.

  3. Select the Pie chart.
    Now, your visualization looks like the following pie chart. This screen image shows the visualization changed to a pie chart.

  4. Hover over each slice of the pie to see the count and percentage values for each categoryId. This screen image shows the largest slice of the pie selected, the STRATEGY category ID.

  5. Click on the STRATEGY slice.

    categoryId=STRATEGY is added to your search string, replacing the top command. The search runs again.

    This screen image shows the search results when categoryId=STRATEGY is added to the search string.

Next step

Learn about correlating events with subsearches.

See also

The top command in the Search Reference
Use drilldown for dashboard interactivity in the Dashboards and Visualizations

Last modified on 17 April, 2019
 

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters