Module 5:

Basic
Search

1 01/07/2024 | 24 May 2018

 Search Assistant
• Search Assistant provides selections for how to complete the
search string
• Before the first pipe (|), it looks for matching terms
• You can continue typing OR select a term from the list
– If you select a term from the list, it is added to the search

2 01/07/2024 | 24 May 2018

 Search Assistant (cont.)
• After the first pipe, the Search Assistant shows a list of commands that
can be entered into the search string
A • You can continue typing OR scroll through and select a command to
add
• If you mouse over a command, more information about the command is
shown
• As you continue to type, Search Assistant makes more suggestions B

B
A

3 01/07/2024 | 24 May 2018

 Search Assistant (cont.)
• Search Assistant is enabled by default
in the SPL Editor user preferences
• By default, Compact is selected
• To show more information, choose
Full
Compact
Mode

4 01/07/2024 | 24 May 2018

 Search Assistant – Full Mode
A • To show more
information, click More » C
A
B • To show less information,
click « Less
C • To toggle Full mode off,
de-select Auto Open

C
B

5 01/07/2024 | 24 May 2018

Search Assistant – Parentheses
• The Search Assistant provides help to match parentheses as you
type
• When an end parenthesis is typed, the corresponding beginning
parenthesis is automatically highlighted
– If a beginning parenthesis cannot be found, nothing is highlighted

Beginning parenthesis Beginning parenthesis

found! NOT found!

6 01/07/2024 | 24 May 2018

 Viewing Search Results
• Matching results
are returned
immediately
• Displayed in
reverse
chronological
order
(newest first)
• Matching search
terms are
highlighted

7 01/07/2024 | 24 May 2018

 Viewing Search Results (cont.)
• Splunk parses data into individual events, extracts time, and assigns
metadata
• Each event has:
– timestamp
– host
– source
– sourcetype
– index

8 01/07/2024 | 24 May 2018

 Viewing Search Results (cont.)
time range picker

search results appear in the Events tab

search mode
timeline

paginator

Fields
sidebar
timestamp
selected fields events

Generated for () (C) Splunk Inc, not for distribution

Splunk Fundamentals 1
9 01/07/2024 | 24 May 2018
 Using Search Results to Modify a Search
• When you mouse over search results, keywords are highlighted
• Click any item in your search results; a window appears allowing you to:
– Add the item to the search
– Exclude the item from the search
– Open a new search including only that item

10 01/07/2024 | 24 May 2018

Changing Search Results View Options
You have several layout options for displaying your search results

11 01/07/2024 | 24 May 2018

Selecting a Specific Time

preset time ranges

custom
time
ranges

Splunk Fundamentals 1
12 01/07/2024 | 24 May 2018
Time Range Abbreviations
• Time ranges are specified in the Advanced tab of the time range
picker
• Time unit abbreviations include:
s = seconds m = minutes h = hours d = days w = week mon = months y = year

• @ symbol "snaps" to the time unit you specify

- Snapping rounds down to the nearest specified unit
- Example: Current time when the search starts is 09:37:12
-30m@h looks back to 09:00:00

13 01/07/2024 | 24 May 2018

 Time Range: e a r l i e s t and l a t e s t
• You can also specify a time range in the search bar
• To specify a beginning and an ending for a time range, use
e a r l i e s t and l a t e s t
• Examples:

earliest=-h looks back one hour

earliest=-2d@d latest=@d looks back from two days
ago, up to the beginning of
todayback to specified time
earliest=6/15/2017:12:30:00 looks

Note
If time specified, it must be in
MM/DD/YYYY:HH:MM:SS format.

14 01/07/2024 | 24 May 2018

Viewing the Timeline
• Timeline shows distribution of events specified in the time range
– Mouse over for details, or single-click to filter results for that time period

Timeline legend
shows the
scale of the
timeline

Splunk Fundamentals 1
15 01/07/2024 | 24 May 2018
 Viewing a Subset of the Results with Timeline
• To select a narrower time
range, click and drag
across a series of bars
– This action filters the
current search results
Does not re-
execute the search
– This filters the events
and displays them in
reverse chronological
order (most recent
first)

01/07/2024 | 24 May 2018

 Using Other Timeline Controls
• Format Timeline
– Hides or shows the timeline in
different views
• Zoom Out
– Expands the time focus and
re-executes the search
• Zoom to Selection
– Narrows the time range and
re-executes the search
• Deselect
– If in a drilldown, returns to the
original results set
– Otherwise, grayed out /
unavailable

01/07/2024 | 24 May 2018

 Controlling and Saving Search Jobs
• Every search is also a job
• Use the Job bar to control search execution
– Pause – toggles to resume the search
– Stop – finalizes the search in progress
– Jobs are available for 10 minutes (default)
– Get a link to results from the Job menu

01/07/2024 | 24 May 2018

 Setting Permissions
• Private [default]
– Only the creator can access
• Everyone
– All app users can access search
results
• Lifetime
– Default is 10 minutes
– Can be extended to 7 days
– To keep your search results longer,
schedule a report

01/07/2024 | 24 May 2018

 Sharing Search Jobs
• Use the Share button next to
the Job bar to quickly:
– Give everyone read
permissions
– Extend results retention to 7
days
– Get a sharable link to the
results
• Sharing search allows multiple
users working on same issue to
see same data • Can also click printer icon to
– More efficient than each
print results or save as
running search separately
PDF
– Less load on server and
disk space used 01/07/2024 | 24 May 2018
 Exporting Search Results
For an external copy of the results, export search results to Raw
Events (text file), CSV, XML, or JSON format
Note
Note that exporting the results of a large search is very
memory-intensive!

01/07/2024 | 24 May 2018

 Viewing Your Saved Jobs
• Access saved search jobs
from the Activity menu
• The Search Jobs view Click Activity > Jobs to view your saved jobs.
Click the job’s name to examine results in
displays jobs that: Search view. (The job name is the search
string.)
– You have run in the last 10
minutes
– You have extended
for 7 days
• Click on a job link
to view the results
in the designated
app view

01/07/2024 | 24 May 2018

 Viewing Your Search History
1. Search History
displays your most
recent ad-hoc
searches – 5 per
page

2. You can set a time

filter to further narrow
your results 1

3. Click the > icon in the leftmost 3

column to expand long queries to

display the full text

01/07/2024 | 24 May 2018

 Module 6:
Using Fields in
Searches

01/07/2024 | 24 May 2018

 What Are Fields?
• Fields are searchable key/value pairs in your event data
– Examples: host=www1 status=503
• Fields can be searched with their names, like separating an http status code of
404 from Atlanta’s area code (area_code=404)
• Between search terms, AND is implied unless otherwise specified

area_code=404

action=purchase status=503

source=/var/log/messages* NOT host=mail2

sourcetype=access_combined

01/07/2024 | 24 May 2018

Field Discovery
• Splunk automatically discovers many fields based on sourcetype
and key/value pairs found in the data
• Prior to search time, some fields are already stored with the event
in the index:
– Meta fields, such as host, source, sourcetype, and index
– Internal fields such as _time and _raw
• At search time, field discovery discovers fields directly related to
the search’s results
• Some fields in the overall data may not appear While Note
Splunk auto-extracts many fields,
within the results of a particular search you can learn how to create your own
in the Splunk Fundamentals 2 course.

01/07/2024 | 24 May 2018

Identify Data-Specific Fields
• Data-specific fields come from the specific characteristics of your
data
– Sometimes,
this is indicated by obvious key = value pairs (act i on
= purchase)
– Sometimes, this comes from data within the event, defined by the sourcetype
(status = 200)

Note
For more information, please see:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Listofpretrainedsourcetypes

01/07/2024 | 24 May 2018

Fields Sidebar
For the current search:
• Selected Fields – a set of
configurable fields displayed for each
event
• Interesting Fields – occur in at least
20% of resulting events
• All Fields link to view all fields
click to view all fields
(including non-interesting fields)
indicates the field’s
values are alpha-
numeric

indicates that the

majority of the field indicates number of unique values
values are for the field
numeric

01/07/2024 | 24 May 2018

Describe Selected Fields
• Selected fields and their
values are listed under
every event that includes
those fields
• By default, the selected
fields are:
– host
– source
– sourcetype

• You can choose any field

and make it a selected field

01/07/2024 | 24 May 2018

Make an Interesting Field a Selected Field
• You can modify selected 2

fields 1

– Click
1 a field in the
Fields sidebar
2– Click Yes in the upper right

of the field dialog

• Note that a selected field
appears:
– In the Selected Fields
section of the Fields sidebar
– Below each event where a
value exists for that field

01/07/2024 | 24 May 2018

Make Any Field Selected
You can identify other fields as selected fields from All Fields
(which shows all of the discovered fields)

01/07/2024 | 24 May 2018

The Field Window
Select a field from the Fields sidebar, then:

Narrow the search to

show only results that
contain this field Get statistical results

action = * is added
to the search criteria

Click a value to add the field/value pair to your search – in this case,
action = addtocart is added to the search criteria

01/07/2024 | 24 May 2018

Using Fields in Searches
• Efficient way to pinpoint searches and refine results
141.146.8.66 clientip=141.146.8.66 status=404 area_code=404

• Field names ARE case sensitive; field values are NOT

– Example:

host=www3 host=WWW3 HOST=www3

These two searches return results This one does not return results

01/07/2024 | 24 May 2018

Using Fields in Searches (cont.)
• For IP fields, Splunk is subnet/CIDR aware
client ip="202. 201. 1. 0/24" client ip="202. 201. 1. *"

• Use wildcards to match a range of field values

– Example: user=* (to display all events that contain a value for user)

user=* sourcetype=access* (referer_domain=*.cn OR referer_domain=*.hk)

• Use relational operators

With numeric fields With alphanumeric fields
src_port>1000 src_port<4000 host!=www3

01/07/2024 | 24 May 2018

! = vs.
NOT
• Both!= field expression and NOT operator exclude events from your
search, but produce different results

• Example: s t a t u s ! = 200
– Returns events where s t a t u s field exists and value in field doesn’t
equal 200

• Example: NOT s t a t u s = 200

– Returns events where s t a t u s field exists and value in field doesn’t
equal 200 -- and all events where status field doesn’t exist

01/07/2024 | 24 May 2018

! = vs. NOT
(cont.) In this example:
• s t a t u s ! = 200 returns
3,110
events from 2 sourcetypes
• NOT sta tus=200
returns 66,855 events
from 9 sourcetypes

Note
The results from a search using != are a
subset of the results from a similar
search using NOT.

01/07/2024 | 24 May 2018

 ! = vs. NOT
•(cont.)
Does ! = and NOT ever yield the same results?
– Yes, if you know the field you’re evaluating always exists in the data
you’re searching
– For example:

 index=web sourcetype=access_combined status!=200

 index=web sourcetype=access_combined NOT status=200
yields same results because s t a t u s field always exists in
access_combined sourcetype

01/07/2024 | 24 May 2018

Search Modes: Fast, Smart, Verbose
• Fast: emphasizes speed over
completeness
• Smart: balances speed and
completeness (default)
• Verbose:
– Emphasizes completeness
over speed
– Allows access to underlying events
when using reporting or statistical
Note
commands (in addition to totals and You’ll discuss statistical commands later
stats) in this course.

01/07/2024 | 24 May 2018