Search results
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Contents
Search results
Splunk allows you to navigate search results by following links and using interactive field filters. Filtering is an efficient method to organize the results of a search.
Events and fields
Your search results appear below the timeline as a list of events ordered by timestamp. A field is a name/value pair distinguished from the free-form indexed segments that you see in an event.
You can add and remove field filters, extract new fields from the results, and tag fields to group results.
Filter on fields
Search for all the sampledata index events:
index=sampledata
Splunk includes three default filters in your search results: host, source, and sourcetype. These interactive field filters are drop-down menus located below the timeline.
Each field's filter menu lists (up to) 10 values, ordered by the frequency at which they occur in the search results.
Host
The host field, which lists the originating hosts of events, lets you target one specific host in the filter. The host field is stored and indexed with each raw event.
1. Click on the host menu.
2. From the list, select the first host value, http2.
The search results filter to show only results for the selected host. Note that this does not add the filter to your search; instead, it shows you a preview of your results. If these aren't the results you want, you can remove this filter and revert to your earlier search.
3. To remove the first host filter, click Clear filter.
The search results revert to your previous search.
4. Select the next host value from the menu.
5. To add this filter to your search string, click Add filter to search.
The search bar and search results update to include the host value restriction you applied, http1:
index=sampledata host=http1
Source
The source field lists the location where an event is accessed; a file, network port, script, etc.
Source type
The sourcetype field characterizes all sources that have similar formats. For example, all Apache access logs in W3C common format have the sourcetype value access_common. The sample data contains four distinct sourcetypes - syslog, access_common, db2 and websphere_activity.
Show more fields
You can include many more field filters in addition to host, source, and sourcetype, in your searches. The fields are listed in the Fields... drop-down menu.
Search for all the sampledata index events:
index=sampledataLet's add a couple more field filters to our search:
1. To display the list of field filters, click the Fields... menu.
2. Scroll through the list.
3. Check eventtype and punct.
4. Click Apply.
The interactive field filters list updates to include eventtype and punct menus. You can use these field filters exactly the same way you used host.
To remove a field filter menu:
1. Click the Fields.. menu.
2. Uncheck the fields you want to remove.
3. Click Apply.
The eventtype and punct fields are discussed further in Event types.
Define custom fields
Splunk lets you interactively define and extract fields from your search results. Let's define a field to extract the IP addresses from our search for all events in sampledata.
index=sampledataYou may need to scroll through the results or use the timeline to find events that contain an IP address.
Below the timestamp of every event is a drop-down menu. Click the down-arrow and select Extract field.
The Extract fields window opens.
Notice the panel at the top of this window:
- Sample Event lists the event that you selected from the search results.
- Example Value(s) provides a textarea for you to define the field value.
To define the IP address field for extraction: 1. Highlight the IP address from your sample event. Copy and paste (or type) it into the Example Value(s) textarea.
2. Click Preview.
3. In the Rules panel:
- Select a field to restrict your search (either
host,source, orsourcetype), - Splunk generates the regex rules to define your field.
- Splunk provides a preview of values it has extracted from your results.
Splunk also provides a preview of other events that contain your custom field. Use this Preview panel to validate the results of your field definition.
4. To save your custom field definition, click Save.
The Save FIeld Definition dialog box opens.
2. Under Name, enter a name for the field. Type in "ipaddress".
3. Click Save.
Now, your custom field (ipaddress) is listed in the Fields menu. You can activate and apply your field filter in exactly the same way you used host.
Tag fields
You can tag fields to group together results that share field values. Use tagging to attach a name, or tag, to a group of results that share the same value of a field, event type, host, or source. You can apply as many tags as you want to a single field, event type, host, or source. A tag cannot contain spaces.
- To access the tagging dialog, click Tag field name in the drop-down menu of any field in your search results.
- To apply a tag to the field you selected, type a tag name into the Tags field.
- To apply multiple tags, enter a space-delimited list of tag names in the Tags field.
Note: Tags that you create for a field are displayed in italics next to that field name in your search results.
Collect snapshots
Splunk allows you to save your results in a "Snapshot Container" that houses your collection. Each snapshot includes an image of the time graph and your search string.
You can add and remove snapshots from your collection. However, after adding a snapshot, you cannot modify the time graph within the container.
If you want to modify a snapshot in your collection:
1. In the Snapshot Container, click Restore search.
2. Modify your graph.
3. Click Snapshot.
Your modified graph has been added to your snapshot collection.