This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
Now you've got all that data in your system...what do you want to do with it? Start by using Splunk's powerful search functionality to look for anything, not just a handful of predetermined fields. Combine time and term searches. Find errors across every tier of your IT infrastructure and track down configuration changes in the seconds before a system failure occurs.
Splunk identifies fields from your records as you search, providing flexibility unparalleled by solutions that require setup of rigid field mapping rulesets ahead of time. Even if your system contains terabytes of data, Splunk enables you to search across it with precision.
In this chapter, you will:
Note: If you want to just jump right in and start searching, see the Search command cheat sheet for a quick reference complete with descriptions and examples.
When you search in Splunk, you're matching search terms against segments of your event data. We generally use the phrase event data to refer to your data after it has been added to Splunk's index. Events, themselves, are a single record of activity or instance of this event data. For example, an event might be a single log entry in a log file. Because Splunk breaks out individual events by their time information, an event is distinguished from other events by a timestamp.
Here's a sample event:
172.26.34.223 - - [01/Jul/2005:12:05:27 -0700] "GET /trade/app?action=logout HTTP/1.1" 200 2953
Events contain pairs of information, or fields. When you add data and it gets indexed, Splunk automatically extracts some useful fields for you, such as the host the event came from and the type of data source it is.
You can use field names (sometimes called attributes or keys) and field values to narrow your search for specific event data. For more information about fields, see the Work with fields chapter in the Knowledge Manager manual, beginning with the "About fields" topic.
As you search, you may begin to recognize patterns and identify more information that could be useful as searchable fields. You can configure Splunk to recognize these new fields as you index new data or you can create new fields as you search. Whatever you learn, you can use, add, and edit this knowledge about fields, events, and transactions to your event data. This capturing of knowledge helps you to construct more efficient searches and build more detailed reports.
For more information about capturing knowledge from your event data and adding information from external sources, see the "Capture knowledge" chapter in this manual.
This chapter discusses search using Splunk Web. You can also execute searches on your Splunk server using the command line interface (CLI). For more information, you can read About the CLI and Get help with the CLI in the Admin manual.
Categories: V:4.0 | V:4.0beta | Search app | Flashtimeline | V:4.0.1 | V:4.0.2 | V:4.0.3 | V:4.0.4 | V:4.0.5 | V:4.0.6 | V:4.0.7 | V:4.0.8 | V:4.0.9 | V:4.0.10