• About Splunk
  • About Splunk
• Tutorial
  • Introduction to Splunk
    • Requirements
    • Log in
    • Index data
    • Simple searches
    • Click on results
    • Scroll through results
    • Narrow results
    • Follow a relationship
    • Chang the time range
    • Boolean searches
    • Save a search
  • Navigating search results
    • Filter on host, source, and sourcetype (search fields)
    • Showing more fields
    • Filter on extracted fields
    • Taking snapshots
    • Customize SplunkWeb
  • Event types and punct::
    • What are event types?
    • What is punct::?
    • Find similar events with punct::
    • Saving event types
    • View and search for event types
    • Automated event type discovery
    • Tagging
  • Alerting
    • Save a search
    • Schedule it
    • Set alerting conditions
    • Set the alerting method
    • Permalink your saved search
    • Manage your saved searches and alerts
  • Reporting
    • Report on a field
    • Build a new report
    • Pick a different chart
    • Add it to your dashboard
  • Using search commands
    • timechart
    • stats
    • top
    • rare
    • where
    • fields
    • sort
    • Subsearches
    • diff
    • set
    • regex
  • Command line interface (CLI)
    • Examples
    • Built-in help
    • Basic commands
  • Sharing
    • Creating, tagging, and sharing eventtypes
    • Saved searches
    • SplunkBase
• Reference
  • Search syntax overview
    • Syntax definition
    • Syntax for subsearches
    • Tuning search performance
  • Search
    • Keywords
    • Wildcards *
    • Searching for "*"
    • "Quotation marks"
    • Punctuation marks
    • Booleans
    • Fields
    • Modifiers
    • Subsearches
  • Search modifiers
    • Conventions used in this reference
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hosttag
    • hoursago
    • index
    • maxresults
    • minutesago
    • monthsago
    • readlevel
    • readlimit
    • related
    • savedsearch
    • searchtimespanminutes
    • searchtimespanhours
    • searchtimespandays
    • searchtimespanmonths
    • startminutesago
    • starthoursago
    • startdaysago
    • startmonthsago
    • timeformat
  • Core search fields
    • host
    • source
    • sourcetype
  • Search fields
    • _raw
    • _serial
    • _time
    • date_hour
    • date_minute
    • date_month
    • date_mday
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • eventtypetag
    • endtime
    • endtimeu
    • linecount
    • punct
    • starttime
    • starttimeu
    • timestamp::none
    • user
• Search command reference
  • Search commands
    • Conventions used in the search reference
    • The run command
    • The admin command
  • Data-generating commands
    • file
    • remote
    • savedsearch
    • search
  • Saving commands
    • outputcsv
    • outputraw
    • outputtext
    • outputxml
    • sendemail
  • Filtering and re-ordering commands
    • page
    • regex
    • set
    • sort
    • uniq
    • where
  • Transforming and reporting commands
    • associate
    • chart
    • contingency
    • correlate
    • diff
    • format
    • rare
    • select
    • stats
    • timechart
    • top
    • xmlunescape
  • Evaluating commands
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extracting commands
    • extract
    • multikv
    • xmlkv

Navigating search results

Navigating search results by following links and using interactive filters is a major component of the Splunk. Filtering is an efficient method to organize the results of a search. The following sections illustrate some of the navigation features of SplunkWeb.

Run a search for all of the sampledata index events.

index::sampledata

Filter on host, source, and sourcetype (search fields)

There are a number of menus below the time graph in SplunkWeb. These are interactive field filters. By default host, source, and sourcetype are shown.

Host

Host shows the originating host of the event. This field enables the targeting of one specific host in the filter. "host::" is stored and indexed alongside each raw event and can be used as a search term. Opening the host menu item shows the top 10 hosts that are in the search results.

Mousing over a host will cause the time graph to show a darker shade illustrating the volume of events for each time period for only that host.

Select any host and the search results will be filtered to show only results for the selected host.

Open the host menu again and select another host.

Open the host menu once more and select "Add filter to search". This will update the search to include host::nameofhost. The restriction of host::nameofhost will be applied to the set of search results.

Source

A source is a file, network port, script, or other location where an event is accessed. The source filter menu and host menu function identically. "source::" can be searched just like "host::" can.

Sourcetype

A sourcetype categorizes all sources that have similar formats. For example, all apache access logs in W3C common format are given the sourcetype name "access_common". The sample data contains four distinct sourcetypes - syslog, access_common, db2 and websphere_activity. "sourcetype::" can be searched just like any of the other types.

Showing more fields

Additional fields can be searched on besides host, source, and sourcetype.

Execute a search for the http access logs.

index::sampledata sourcetype::access_common

Select "Fields" to open a list of fields to be able to search on.

Search fields vs extracted fields

A field is a name/value pair. A field is distinguished from the free-form indexed segments seen in an event. Fields can be categorized by how and when they are processed. Two major categories are: search fields and extracted fields.

Search fields are captured in real time as events are indexed by Splunk. Information on where the event came from, what type of event, source type, etc, are built into the Splunk input processor. Additional fields can be added for indexing.

Extracted fields are created at search time. Splunk picks out obvious key/value pairs in search results. This dynamic extracted field list can be used in filters and reports. Splunk can be trained to recognize additional fields and assign normalized names to the fields.

Filter on extracted fields

Add a filter on an extracted field by using the where command.

Notice that instead of adding the field name and value to the main part of the search, Splunk adds a pipe ("|") symbol then the where command. Extracted fields cannot be searched like ordinary event terms because they are not indexed -- they are extracted at search time.

sourcetype::access_common | where method="GET"

Taking snapshots

Snapshots allow for search results to be saved as a "snapshot". Collections of snapshots can be added to a single snapshot collection. Steps can be retraced by reverting to an earlier snapshot.

Customize SplunkWeb

Default behaviors of SplunkWeb are changed in the "Preferences" menu at the top right-hand corner of the interface. Splunk licensed with a free license will save the settings for everyone, and Splunk with an Enterprise license will save changes per individual login accounts.

General preferences

Allows you to change general interface settings.

Theme

Allows you to select a black background theme.

Click behavior

In earlier examples in the tutorial things were being added to the search by clicking, and being replaced by holding down the ctrl/cmd key while clicking. This is new to Splunk 3.0 and above. In previous versions, selecting a filter was done by alt-ctrl-click. The click behavior preference allows the selection of either method.

Search preferences

Allow you to change parameters for your searches and the display of results.

Default time range

This will be the default time range for all searches initiated from the home page.

Maximum results per search

This is the maximum number of results that will be returned from any search unless you apply a maxresults:: modifier in your search.

Note: Searching a high number of max results may cause timeouts and may cause your browser to hang.

Segment selection

Segmentation governs how mousing over results will highlight segments within the search result list. There are different types of segmentation:

• "Full" will enable the mouse select from left to right on an IP address and select "192", "192.10", "192.10.20" or "192.10.20.30" to search for anything from the first quad to the full IP address.
• "Inner" results will come back a tiny bit faster and enable the ability to click to search for "192", "10", "20" or "30" but not "192.10.20.30".
• "Outer" results will be faster but limits click to search on the whole IP "192.10.20.30".
• "Pyramid" is only useful for debugging. If selected, details on how Splunk segments events can be seen.