Splunk Cloud

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Download topic as PDF

Upload the tutorial data

This tutorial uses a set of data that is designed to show you the features in the product. Using the tutorial data ensures that your search results are consistent with the steps in the tutorial.

You must have the tutorial data files on your computer.

Use the Add Data wizard

  1. If you are not on the Splunk Home page, click the Splunk logo on the Splunk bar to go to Splunk Home.
  2. Locate the Add Data icon.
  3. Splunk Cloud
    a. If the Welcome to the Splunk Free Cloud Trial! window is displayed, close the window.
    b. Click Settings > Add Data.
    Splunk Enterprise
    a. In the Explore Splunk Enterprise panel, click Add Data.
  4. Click Upload. There are other options for adding data, but for this tutorial you will upload the data files.
  5. This screen image shows the Add Data image on the screen. The Add Data image is in the Explore Splunk Enterprise panel and is the second image from the left in that panel.
  6. Under Select Source, click Select File to browse for the tutorialdata.zip file.
  7. This screen image shows the first step in adding data, Select Source.  Click the Select File button and browse to where you downloaded the tutorialdata.zip file.
  8. Select the file and click Open.
  9. Note: Because you specified a compressed file, a data source that the Splunk software recognizes, the wizards steps change. The step Set Source Type is skipped. When you load data that is not in a compressed file, you will set the data source type.
  10. Click Next to continue to Input Settings.
  11. Under Input Settings, you can override the default settings for Host, Source type, and Index.
  12. Modify the Host settings to assign the host names using a portion of the path name. The settings that you select depend whether you are installing on Splunk Cloud or Splunk Enterprise and on the operating system you are using.
  13. Splunk Cloud
    a. Select Segment in path.
    b. Type 1 for the segment number.
    Splunk Enterprise
    For Linux or Mac OS X:
    a. Select Segment in path.
    b. Type 1 for the segment number.
    This screen image shows the next step in adding data, Input Settings The Segment in path option is highlighted.
    a. Select Regular expression on path.
    b. Type \\(.*)\/ for the regex to extract the host from the path.
    This screen image shows the next step in adding data, Input Settings The Regular expression on path option is highlighted.
  14. Click Review. The following screen appears where you can review your input settings.
  15. This screen image shows the next step in adding data, Review. The name of the file that you are uploading and the host settings are displayed.
  16. Click Submit to add the data.
  17. This screen image shows the last step in adding data. The screen shows the file was uploaded successfully. The screen shows the options for what you can do next.
  18.  To see the data in the Search app, click Start Searching.
  19. You might see a screen asking if you want to take a tour. You can take the tour or click Skip.
    The Search app opens and a search is automatically run on the tutorial data source.
    This screen image shows that a simple search was run to find all of the tutorial data. The data now appears as events in the bottom half of the window.
    Success! The results confirm that the data in the tutorialdata.zip file was indexed and that events were created.
  20.  Click the Splunk logo to return to Splunk Home.

Next step

You have completed Part 2 of the Search Tutorial.

Now you know how to add data to your Splunk platform. Next, you will begin to learn how to search that data. Continue to Part 3: Using the Splunk Search App.

What is in the tutorial data?
Exploring the Search views

This documentation applies to the following versions of Splunk Cloud: 6.6.3


Unfortunately when I try the regular expression you suggest on Windows with Splunk Enterprise, I also get the host = We did discover an issue with Splunk Cloud and Windows and have corrected the documentation.

Lstewart splunk, Splunker
March 2, 2018

had the same problem. This regex worked for me:

January 22, 2018


Somehow the regular expression didn't work.
That is usually when the host= shows up.

There are 2 options:
1. Upload the tutorial data again, specifying the regular expression. However, you will then have 2 sets of the tutorial data uploaded.
2. You can remove the tutorial data and then upload it again.

To remove the data:
1. Login as admin, and create a new user with the can_delete role.
Choose Settings —> Access Controls
Click Users
Click New and fill in the form. Specify “can_delete” for Selected roles.
2. Log out as admin and log back in as the user with the can_delete role.
3. Set the time range picker to All time.
Run the following search.
5. Confirm that the search is retrieving the correct data. , add the delete command to the end of the search and run the search.
source=tutorialdata.zip:* | delete
6. Log out as the user with the can_delete role.
7. Log back in as admin.
8. Follow the steps in the tutorial to upload the data.

Lstewart splunk, Splunker
August 18, 2017

I am working on windows 10, in point 8 insert the regular expression:
\\ (. *) \ / But at point 11 I only see host =
Can you help me?

August 14, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters