This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2
Navigating search results by following links and using interactive filters is a major component of the Splunk. Filtering is an efficient method to organize the results of a search. The following sections will illustrate some of the navigation features of the SplunkWeb interface.
Run a search for all of the sampledata index events.
index::sampledata
There are a number of menus below the time graph in the SplunkWeb. These are interactive field filters. By default host, source, and sourcetype are shown.
Host shows the originating host of the event. This field enables the targeting of one specific host in the filter. "host::" is stored and indexed alongside each raw event and can be used as a search term. Opening the host menu item shows the top 10 hosts that are in the search results.
Mousing over a host will cause the time graph to show a darker shade illustrating the volume of events for each time period for only that host.
Image:More searching-Picture 2.png
Image:More searching-Picture 1.png
Select any host and the search results will be filtered to show only results for the selected host.
Open the host menu again and select another host.
Open the host menu once more and select "Add filter to search". This will update the search to include host::nameofhost. The restriction of host::nameofhost will be applied to the set of search results.
Image:More searching-host2.jpg
Source is the file, network port, script, or other location where the event was accessed. The source filter menu and host menu function identically. "source::" can be searched just like "host::" can.
Image:More searching-source.jpg
A sourcetype categorizes all sources that have similar formats. For example, all apache access logs in W3C common format are given the sourcetype name "access_common". The sample data contains four distinct sourcetypes - syslog, access_common, db2 and websphere_activity. "sourcetype::" can be searched just like any of the other types.
Image:More searching-sourcetype.jpg
Additional fields can be searched on besides host, source, and sourcetype.
Execute a search for the http access logs.
index::sampledata sourcetype::access_common
Select "Fields" to open a list of fields to be able to search on.
Image:More searching-Picture 3.png
A field is a name/value pair. A field is distinguished from the free-form indexed segments seen in an event. Fields can be categorized by how and when they are processed. Two major categories are: search fields and extracted fields.
Search fields are captured in real time as events are processed by Splunk. Information on where the event came from, what type of event, source type, etc, are built into the Splunk input processor. Additional fields can be added for indexing.
Extracted fields are created at search time. Splunk picks out obvious name/value pairs in search results. This dynamic extracted field list can be used in filters and reports. Splunk can be trained to recognize additional fields and assign normalized names to the fields.
Add a filter on an extracted field. Add this filter to the search.
Image:More searching-Picture 6.png
Notice that instead of adding the field name and value to the main part of the search, Splunk adds a pipe ("|") symbol then a new filter operator. Extracted fields cannot be searched like ordinary event terms because they are not indexed -- they are extracted at search time.
sourcetype::access_common | filter method="GET"
Splunk can search for related events based on statistical analysis of term frequencies.
Selecting "related" next to an event will cause Splunk to extract search terms from the current search, and perform another search yielding the results similar to the event by using statistical analysis of the term frequencies.
Snapshots allow for search results to be saved as a "snapshot". Collections of snapshots can be added to a single snapshot collection. Steps can be retraced by reverting to an earlier snapshot.
Image:More searching-snapshot.jpg
Default behaviors of the SplunkWeb (Splunk interface) can be changed through the "Preferences" menu at the top right-hand corner of the interface. Splunk licensed with a free license will save the settings for everyone, and Splunk Enterprise will save changes per individual login accounts.
Changes general interface settings.
Allows the selection of a black background theme.
In earlier examples in the tutorial things were being added to the search by clicking, and being replaced by holding down the ctrl/cmd key while clicking. This is new to Splunk 3.0. In previous versions, selecting a filter was done by alt-ctrl-click. The click behavior preference allows the selection of either method.
These preferences change parameters for your searches and the display of results.
This will be the default time range for all searches initiated from the home page.
This is the maximum number of results that will be returned from any search unless a different maxresults:: setting is explicitly added a within the search terms. High max results may cause timeouts and may run into browser limitations.
Segment selection governs how mousing over events highlights segments within the results. Choosing "Full" will enable the mouse select from left to right on an IP address and select "192", "192.10", "192.10.20" or "192.10.20.30" to search for anything from the first quad to the full IP address. "Inner" results will come back a tiny bit faster and enable the ability to click to search for "192", "10", "20" or "30" but not "192.10.20.30". "Outer" results will be faster but limits click to search on the whole IP "192.10.20.30".
"Pyramid" is only useful for debugging. If selected, details on how Splunk segments events can be seen.
