• About Splunk
  • About Splunk
• Tutorial
  • Introduction to Splunk
    • Requirements
    • Log in
    • Index data
    • Simple searches
    • Click on results
    • Scroll through results
    • Narrow results
    • Follow a relationship
    • Chang the time range
    • Boolean searches
    • Save a search
  • Navigating search results
    • Filter on host, source, and sourcetype (search fields)
    • Showing more fields
    • Filter on extracted fields
    • Related events searching
    • Taking snapshots
    • SplunkWeb (interface) customization
  • Event types and punct::
    • What are event types?
    • What is punct::?
    • Find similar events with punct::
    • Saving event types
    • View and search for event types
    • Automated event type discovery
    • Tagging
  • Alerting
    • Save a search
    • Schedule it
    • Set alerting conditions
    • Set the alerting method
    • Permalink your saved search
    • Manage your saved searches and alerts
  • Reporting
    • Report on a field
    • Build a new report
    • Pick a different chart
    • Add it to your dashboard
  • Using search commands
    • timechart
    • stats
    • top
    • rare
    • where
    • fields
    • sort
    • Subsearches
    • diff
    • set
    • regex
  • Command line interface (CLI)
    • Examples
    • Built-in help
    • Basic commands
  • Sharing
    • Creating, tagging, and sharing eventtypes
    • Saved searches
    • SplunkBase
• Reference
  • Search syntax overview
    • Syntax definition
    • Syntax for subsearches
    • Tuning search performance
  • Search
    • Keywords
    • Wildcards *
    • Searching for "*"
    • "Quotation marks"
    • Punctuation marks
    • Booleans
    • Fields
    • Modifiers
    • Subsearches
  • Search modifiers
    • Conventions used in this reference
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hosttag
    • hoursago
    • index
    • maxresults
    • minutesago
    • monthsago
    • readlevel
    • readlimit
    • related
    • savedsearch
    • searchtimespanminutes
    • searchtimespanhours
    • searchtimespandays
    • searchtimespanmonths
    • startminutesago
    • starthoursago
    • startdaysago
    • startmonthsago
    • timeformat
  • Core search fields
    • host
    • source
    • sourcetype
  • Search fields
    • _raw
    • _serial
    • _time
    • date_hour
    • date_minute
    • date_month
    • date_mday
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • eventtypetag
    • endtime
    • endtimeu
    • linecount
    • punct
    • starttime
    • starttimeu
    • timestamp::none
    • user
  • Search commands
    • Conventions used in the search reference
    • The run command
    • The admin command

Introduction to Splunk

See a few simple searches in action.

Requirements

• A supported browser (See system requirements and release notes).
• A copy of Splunk:
  • On an individual machine, or elsewhere in the organization. (Download and install.)
  • On Splunk hosted demo servers.

Log in

Splunk does not require a login when using a Free license. An Enterprise license requires a login:

• For an individual server, the default Splunk username is admin and password is changeme.
• For the Splunk hosted demo server, the username and password are guest and guest.

Index data

Splunk comes with pre-indexed sample data. For help indexing your own data, see the data inputs section of the Admin Manual.

Simple searches

To start, enter your search in the search box at the top of the page.

Important: Throughout this tutorial sample data will be used (in an index called "sampledata"). This index can be searched instead of the main index by including "index::sampledata" in the search criteria.

Start by searching for all the data in the sampledata index. Type the following into the search box.

index::sampledata

The results include a timeline that shows exactly when matching results occurred. If there are no results, change the time range from last 24 hours to last 7 days.

Now, try this simple search:

index::sampledata http 500

This shows HTTP requests resulting in an internal server error. Notice that there's a typeahead list to help guide you.

Searches are typically case-insensitive. Exceptions are noted through this tutorial

Click on results

Click on results to add or remove search terms. For example, click on "500" in one of the search results. Splunk highlights and updates the search to remove "500" as a term -- so now your search results include all http events. This works both ways. Click on "500" again to add it back to the search string.

Scroll through results

Search for:

index::sampledata http

Scroll through the results list. Splunk displays more and more results. The red line in the timeline indicates where you are in time.

Narrow results

Narrow your search results by refining your search. Here are a few tips.

• Alt-click on "200" in any search result (option-click for Mac, shift-click for some popular *nix windows managers).

Your search has now been updated with "NOT 200". Splunk supports other Boolean operators too.

Follow a relationship

• Ctrl-click on an IP address (cmd-click on a Mac).
• Check "wrap results" to turn on line-wrapping for the long single line events that result from searches.

Your search has been replaced with the IP address. This is an effective way to follow relationships between events.

Chang the time range

If you are using the sample data with the out of the box settings, the timeline shows a cluster of events in a single hour over the last 24 hours.

Click on the bar in the timeline showing the cluster of data, then click Zoom in. Any bar in the timeline can also be clicked to zoom in.

Zoom in until there is a narrow enough time range to see only a few bars of data.

Shift-click or drag your mouse across all of the bars and zoom in further.

The timeline should now span several minutes, with one bar equal to one second.

You can also change the time range by using the drop-down located near the upper left of the graph area.

Choose custom to specify a start and end time.

Note: Your Splunk instance will perform faster if you narrow the time range of your search. Searching over all time may result in slow search performance.

Boolean searches

Enter the search:

index::sampledata http AND 500

Your results will be the same as the previous example search. Splunk implicitly inserts an AND between terms, similar to Google and other search engines. Splunk supports the booleans: AND, OR, and NOT (must be capitalized).

Note: There should be three results. If your search produces no results, the time range may still be set from the previous example search. Zoom out, clear the time range or reset it using the time range drop-down menu.

index::sampledata http NOT 500

index::sampledata http NOT (500 OR 503)

Splunk is able to group Boolean expressions using parentheses.

Save a search

To save any search, click on the down arrow to the left of the search box and select Save search... from the menu.

Once you save a search, reuse it by typing savedsearch::nameyougaveyoursearch into the search box, or select it from the Saved searches menu next to the search box. Search names are case-sensitive.