Splunk® Enterprise

Search Tutorial

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Exploring the Search views

In Part 2, you learned about the types of data that the Splunk platform works with and uploaded the tutorial data into the index. In Part 3, you will learn about the Search app.

Find Splunk Search

  1. If you are not on the Splunk Home page, click the Splunk logo on the Splunk bar to go to Splunk Home.
  2. From Splunk Home, click Search & Reporting in the Apps panel.
This image shows the Apps panel on the Splunk Home page. The Search and Reporting application is listed in this panel.

This opens the Search Summary view in the Search app.

Search Summary view

The Search Summary view includes common elements that you see on other views, including the Applications menu, the Splunk bar, the Apps bar, the Search bar, and the Time Range Picker. Elements that are unique to the Search Summary view are the panels below the Search bar: the How to Search panel and the Search History panel.

The Search Summary view in Splunk Cloud Platform and Splunk Enterprise are almost identical.

The following image shows the Search Summary view in Splunk Cloud Platform. This screen image shows red circles with numbers inside that identify the parts of the screen. The table below the screen image describes each of the numbered screen parts.


Number Element Description
1 Applications menu Switch between Splunk applications that you have installed. The current application, Search & Reporting app, is listed. This menu is on the Splunk bar.
2 Splunk bar Edit your Splunk configuration, view system-level messages, and get help on using the product.
3 Apps bar Navigate between the different views in the application you are in. For the Search & Reporting app the views are: Search, Analytics, Datasets, Reports, Alerts, and Dashboards.
4 Search bar Specify your search criteria.
5 Time range picker Specify the time period for the search, such as the last 30 minutes or yesterday. The default is Last 24 hours.
6 How to search Contains links to the Search Manual and the Search Tutorial.
7 Workload management (Splunk Cloud Platform only) Specify which pool to run your search in or to use a policy-based pool. The policies are defined in the Workload Management app.
8 Search history View a list of the searches that you have run. The search history appears after you run your first search.

In Splunk Enterprise there is an additional option in How to search, called Data Summary, which shows a summary of the data that is uploaded to the Splunk instance and that you are authorized to view. There is also an option entitled Analyze Your Data with Table Views where you can prepare data without using the Search Processing Language (SPL).

New Search view

The New Search view opens after you run a search.

Some of the elements in this view might be familiar, such as the Apps bar, the Search bar, and the time range picker. Below the Search bar, are the Timeline, the Fields sidebar, and the Events view.

The New Search view in Splunk Cloud Platform and Splunk Enterprise are almost identical.

The following image shows the New Search view in Splunk Cloud Platform.

This screen image shows red circles with numbers inside that identify the parts of the screen. The table below the screen image describes each of the numbered screen parts.

Number Element Description
1 Apps bar Navigate between the different views in the Search & Reporting app: Search, Analytics, Datasets, Reports, Alerts, and Dashboards.
2 Search bar Specify your search criteria.
3 Time range picker Specify the time period for the search.
4 Search action buttons Actions that you can perform, including working with your search Job, sharing, printing, and exporting your search results.
5 Search results tabs The tab that your search results appear on depends on your search. Some searches produce a set of events, which appear on the Events tab. Other searches transform the data in events to produce search results, which appear on the Statistics tab.
6 Search mode menu Use the search mode selector to provide a search experience that fits your needs. The modes are Smart (default), Fast, and Verbose.
7 Timeline A visual representation of the number of events that occur at each point in time. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. The timeline options are located above the timeline. You can format the timescale, zoom out, or zoom to a selected set of events.
8 Fields sidebar Displays a list of the fields discovered in the events. The fields are grouped into Selected Fields and Interesting Fields.
9 Events viewer Displays the events that match your search. By default, the most recent event is listed first. In each event, the matching search terms are highlighted. To change the event view, use the List, Format, and Per Page options.
10 Save As menu Use the Save As menu to save your search results as a Report, Dashboard Panel, Alert, or Event Type.

Next step

Learn about specifying time ranges in your searches.

See also

View and interact with your Search History in the Search Manual
Why source types matter in Getting Data In

Last modified on 28 October, 2021
Upload the tutorial data   Specifying time ranges

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters