Splunk Cloud Platform

Search Experience preview

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Search using point-and-click

If you're new to Splunk or the Splunk Search Processing Language, version 2 (SPL2), you're in the right place. This topic describes how to create searches using point-and-click actions.

If you are familiar with SPL but new to SPL2, you can either use these point-and-click actions or you can search using SPL2 directly in the SPL2 Editor. See Search using SPL2.

Open the Search Experience

To open the Search Experience:

  1. To open the Search Experience, in the Cloud Console under Splunk Cloud Platform, select Launch.
  2. Optional. In My workspaces select Install sample content to install the sample modules.
  3. In My workspaces, select + New and choose Module.

You can also start a new module by selecting Search in the navigation pane on the left.

In the Search page, most of the icons and other elements have tool tips that identify the elements. For example, if you hover over the + Add button, the tooltip displays Add new statement or chart.

The datasets that you have access to appear in the list of datasets on the right side of the page.

Start and run a search

To create a search:

  1. From the list of datasets, check the name of the dataset that you want to use. For example, to search the sample data, select sample_events.
  2. Select Apply. A new search is added to the SPL Editor using the from command.
  3. If you are using the sample_events dataset, change the Global Time Range to All time.
  4. Click the Run button This image shows an icon with a triangle pointing to the right, similar to a Play button., or press Control or Command + Enter to run the search.

You can select multiple datasets to include in your search. When you select Apply a new search is added to the SPL Editor using the union command. See union command overview in the SPL2 Search Reference.

Cancel a search

You can cancel a running search by using the Stop button This image shows an icon with a square.. This button appears after you select the Run button.

Run all search statements

When you select the Run button This image shows an icon with a triangle pointing right., only the active search is run. To run all of the search statements in the module, use the Run all button This image shows an icon with a set of arrows in a circle..

Add fields to the search results

You can display fields from your dataset in the search results pane.

  1. On the Data tab, under Fields, check the fields that you want to display in the search results. For example, if you are using the sample_events, check the following fields:
    • host
    • action
    • categoryId
    • status

Hide a field in the search results

There are two ways to hide a field in the search results. You can uncheck the field on the Data tab, or use the Options menu for the field.

To hide a field using the Data tab:

  1. On the Data tab, uncheck the field name. For example, you can uncheck the _raw field.

To hide a field using the Options menu:

  1. In the Search Results pane, open the Options menu This image shows an icon with three dots in a vertical column. for the field and choose Hide Column..

Show and hide field information

When you select the name of a field in your search results, a panel appears that shows information about that field:

  • The DATA DISTRIBUTION section lists the distinct values in the field, along with a count and percentage of how often each value appears in your results.
  • The DATA QUALITY section shows the percent of events that have, or are missing, a value for the selected field.
  • The STATISTICS section displays a total count of the events in the search results and a distinct count of the unique values in the field.
  • The SUGGESTIONS section displays actions you can take on the field, such as rename the field or apply a filter to the field.

To close the panel, select the X at the top of the panel across from the field.

Remove events with empty values

If a field has values that show EMPTY, you can remove those events from the search results.

  1. In the search results, next to the field name, click on the Options menu This image shows an icon with three dots in a vertical column.. For example, if you are using the sample data select Options menu next to the action field.
  2. Select Exclude value.
  3. In the Add filter popup, the name of the field and the not equal operator are filled in for you. Select Apply.

For the field you selected, the events that have empty values are removed from the search results.

Add a filter to your search

There are two ways to filter your data:

  • On the Data tab, next to Filters, click the plus ( + ) sign.
  • In the search results panel, use the field Options menu This image shows an icon with three dots in a vertical column..

Filter using the Add filter menu

The Filters section of the Data tab lists the filters that are applied to the active search statement.

  1. On the Data tab, next to Filters, select the plus ( + ) sign.
  2. Select the type of filter you want to use:
    1. To include or exclude field values, choose Values.
    2. To show or hide fields in the search results, choose Fields.
    3. To specify a custom time range for the current search, choose Time range.
  3. For example, using the sample data, you can filter the values in a field, choose Values.
  4. For the field, select host.
  5. For the operator, leave it as equal ( = ).
  6. For the value, type www2.
  7. Click Apply.

Filter using the field Options menu

Use the Add filter icon to add a filter to your search

  1. Click the status field and select the Options icon This image shows an icon that looks like a funnel with a plus sign..
  2. Select Filter by value.
  3. For the operator, leave it as equal ( = ).
  4. For the value, type 200.
  5. Click Apply.

Search using keywords

You can search the _raw field using the Keyword search box, which appears directly below the Timeline.

You can search for an exact term or use a wildcard character ( * ) to search for part of a term. The wildcard should be used at the end of the term, for example http*.

To use the Keyword search box, type the term and press Enter.

Create another search

There are several ways to start a new search statement in your module. You can:

  • Click the + Add button, and select Statement.
  • Click on a new line in the SPL Editor pane.

Then select a dataset from the Dataset list.

Each search name in a module must be unique.

Extend a search

You can use the results of one search as the dataset for another search by extending the original, or base, search.

To extend a search:

  1. From the Outline, select the Options menu This image shows an icon with three dots in a vertical column. next to the name of the search you want to use as the base search.
  2. Select Extend
  3. Specify a name for the new search statement and select Create.
  4. A new search is started with the base search as the dataset. Specify the remaining search criteria and run the search.

For more information and examples of extended searches and to learn about branched searches, see Extend and branch search statements in the SPL2 Search Manual.

Collapse a search statement

When you have multiple or lengthy search statements in a module, you can use the line numbers to collapse, and then expand, a search statement:

  1. In the SPL Editor pane, position your mouse pointer in the line numbers area.
  2. A down chevron ( V ) appears next to statements that use multiple lines.
  3. To collapse a statement into one line, click the down chevron next to that statement. A right chevron ( > ) appears on the collapsed line.
  4. To expand a collapsed statement, click the right chevon next to the collapsed line.

Saving and creating search modules

When you create a search, it is created inside an untitled search module. You can use this module as a work area for ad-hoc searches or you can save the module to come back to the searches at a later time.

You can create multiple searches inside a single module and you can create multiple modules.

When you make changes to a module, the module is in draft mode until you save it. To learn about draft modules and how to discard unsaved changes, see Managing module changes.

Saving a module

When you save a module, the module name appears on the list in My workspace.

  1. To save a module, click Save and type a name for the module.
  2. Type a name for the module and click Save.

Creating a module

To create a module:

  1. Select the More options icon next to the Save button.
  2. Select Create new module.

Explore more with SPL2

To perform more detailed searches, you need to use the Splunk Search Processing Language, version 2 (SPL2). See Search using SPL2.

See also

Related information
Search Experience overview
Specifying time ranges
Sample data
Sample modules
Troubleshooting SPL2 statements
Managing module changes
SPL2 documentation
SPL2 Search Reference
SPL2 Search Manual
Last modified on 21 February, 2023
Search Experience overview   Search using SPL2

This documentation applies to the following versions of Splunk Cloud Platform: search2preview

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters