Splunk® Enterprise

Search Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Search with Splunk Web, CLI, or REST API

You can perform searches using Splunk Web and the Splunk REST API. If you use Splunk Enterprise, you can also run a search from the command line interface (CLI). Which tool is best can sometimes depend on what you want from your search.

If you need to be able to search a Splunk Enterprise and Splunk Cloud Platform deployment together in a single search, you must configure hybrid searching. See Configure hybrid search in the Splunk Cloud Platform Admin Manual.

Search with Splunk Web

When you search with Splunk Web, you are using the Search app, and you can control the search experience by selecting a search mode (Fast, Verbose, Smart). Depending on the mode you select, Splunk software automatically discovers and extracts fields other than the default fields, returns results as an events list or a table, and runs the calculations required to generate the event timeline. Calculating the event timeline is very expensive because it creates buckets and keeps the statistics for events and fields in a dispatch directory such that it is available when the user clicks a bar on the timeline.

Search with the CLI or REST API

When you run a search through the command line interface (CLI) or use the search jobs endpoint in the REST API to create a search, the search goes directly to the Splunk search engine without going through Splunk Web. These searches can complete much faster than the searches in Splunk Web because Splunk software does not calculate or generate the event timeline. Instead, search results are displayed as a raw events list or a table, depending on the type of search.

Last modified on 26 October, 2021
Types of commands   About the Search app

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters