Search with Splunk Web, CLI, or REST API
You can perform searches using Splunk Web and the Splunk REST API. If you use Splunk Enterprise, you can also run a search from the command line interface (CLI). Which tool is best can sometimes depend on what you want from your search.
If you need to be able to search a Splunk Enterprise and Splunk Cloud deployment together in a single search, you must configure hybrid searching. See Configure hybrid search in the Splunk Cloud User Manual.
Search with Splunk Web
When you search with Splunk Web, you are using the Search app, and you can control the search experience by selecting a search mode (Fast, Verbose, Smart). Depending on the mode you select, Splunk software automatically discovers and extracts fields other than the default fields, returns results as an events list or a table, and runs the calculations required to generate the event timeline. Calculating the event timeline is very expensive because it creates buckets and keeps the statistics for events and fields in a dispatch directory such that it is available when the user clicks a bar on the timeline.
- Read more about how to "Set search mode to adjust your search experience" in this manual.
Search with the CLI or REST API
When you run a search through the command line interface (CLI) or use the search jobs endpoint in the REST API to create a search, the search goes directly to the Splunk search engine without going through Splunk Web. These searches can complete much faster than the searches in Splunk Web because Splunk software does not calculate or generate the event timeline. Instead, search results are displayed as a raw events list or a table, depending on the type of search.
Types of commands
About the Search app
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103