• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Use Splunk Web
  • About Splunk Web
    • Dashboards
    • Preferences
    • Admin pages
  • Change Splunk Web preferences
    • Search
    • General
  • About Splunk server settings
    • View server settings
    • Control server
    • Configure authentication method
  • Change Splunk server default settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
• Add inputs
  • About inputs
    • Files and directories
    • FIFO queues
    • Network ports
  • Use Data Inputs page
    • Access Data Inputs page
    • Run crawls
    • Add files and directories
    • Add FIFO queues
    • Add network ports
  • Use crawl
    • Run a crawl
    • Save a crawl
• Index
  • About indexes and indexing
    • Events, segments, and fields
    • Search and indexes
  • Manage your indexes
    • View and manage indexes
    • Edit index properties
  • Create new index
    • via Splunk Web
    • via the CLI
  • Delete an index
• Search
  • Splunk search
    • Generate search results
    • Construct searches
    • Types of search
    • Save and schedule searches
    • Tune search performance
  • Form search
    • Run a form search
  • Transactions
    • Example use cases
    • The transaction search command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
  • Macro search
    • Configure a macro search
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Tag
  • About tags
    • Search for extracted fields associated with tags
    • Configure tags
    • Configure roles for tagging
  • Tag field values (including: event types, hosts, and sources)
    • Tag hosts or sources
    • Tag event types
    • Methodologies for host and event type tag management
  • Manage tags with tagcreate and tagdelete
    • Create tags with tagcreate
    • Disable tags with tagdelete
  • Alias a source type
    • Add/edit a source type alias
• Report
  • Run reports
    • Report on results
    • Report on fields
    • Report using reporting commands
    • Choose different charts
    • Add a report to your dashboard
    • Summary indexing
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
  • Summary indexing
    • How summary indexing works
    • Configure summary indexing
    • Search commands useful to summary indexing
    • General guidelines for summary indexing
    • Aggregated statistics
    • Gaps and overlaps
• Save, Schedule, and Alert
  • Save, schedule, and set alerts
    • Save a search
    • Schedule a search
    • Configure an alert
    • Enable summary indexing
  • Find and manage saved searches
    • Delete or modify saved searches
    • Display saved searches on dashboard
• Use the Splunk Command Line Interface (CLI)
  • About Splunk's CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Examples of CLI search
    • Dispatched searches
    • CLI search parameters
  • CLI commands
    • Syntax
    • Command list
  • Change default Splunk server settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Search reference
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
  • Search cheatsheet
    • Add fields
    • Convert fields
    • Filter and order fields
    • Filter results
    • Order results
    • Group results
    • Classify events
    • Change display formatting
    • Generate data
    • Report
    • Administrative
    • Subsearch
• Field reference
  • About fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • List of default fields
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Generate data
    • crawl
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transform and report
    • associate
    • chart
    • cluster
    • contingency
    • collect
    • correlate
    • diff
    • eventstats
    • format
    • highlight
    • makemv
    • mvcombine
    • mvexpand
    • nomv
    • overlap
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extract
    • addinfo
    • extract (kv)
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
  • Unsupported search commands
    • createrss
    • dispatch
    • folderize
    • gentimes
    • idxprobe
    • inputcsv
    • load
    • map
    • outputatom
    • outputcsv
    • outputraw
    • outputtext
    • outputxml
    • page
    • rawstats
    • save
    • sendemail
    • tagcreate
    • tagdelete
    • tags
    • tagset
    • translate
  • Deprecated search commands
    • nopartial
    • remote
    • searchps
    • select
    • streamedcsv
    • summary
    • timeline
    • uniq

Simple searches

See a few simple searches in action. This section introduces keyword searches and how to narrow your search with Boolean logic and using the timeline. Before you begin, you can watch Splunk's developer video about search; it demonstrates how to search with a just a few words and clicks of the mouse.

Index data

Splunk comes with pre-indexed sample data, called sampledata, which we will use throughout this tutorial. You can search the index that has the sample data in it instead of the main index by including index=sampledata in the search criteria.

For help indexing your own data, see the data inputs section of the Admin Manual.

Search

To start, enter your search in the search bar at the top of the page. To search for all the data in the sampledata index, type the following into the search bar:

The timeline should show bars indicating when matching results occurred. If there are no results displayed, change the time range until you see results.

Now, lets search for HTTP requests that resulted in an internal server error (code 500). Type this simple search:

Narrow your search

You can use arguments in the search command to narrow your search. Add Boolean logic between terms and modifiers, use logical comparison operators for field values, or use search modifiers. You can also use the timeline to zoom in on particular events. This section discusses two ways to apply Boolean modifiers to your search. We'll discuss using the timeline to narrow your results later.

Read Search results for more ways to manipulate search results.

Search with Booleans

Splunk supports the Boolean operators: AND, OR, and NOT (must be capitalized).

Enter the search:

Your results should match the previous example search. Similar to Google and other search engines, Splunk implicitly inserts an AND between terms by default.

Note: If your search produces no results, try zooming out, clearing the time range, or resetting the time range using the drop-down menu.

Search for all HTTP requests that do not contain error code 500:

Search for all sampledata events of sourcetype access_common or syslog.

Note: Splunk uses parentheses to group Boolean expressions.

Click on results

As you scroll through your results and mouse over sections of each event, you'll notice the sections are highlighted. You can highlight and click items in the results to add and remove terms in your search string.

Search for:

Scroll through the list of results. Click on "500" in one of the search results.

Notice that Splunk highlights and updates the search to add "500" as a term (in the search bar). This is a shortcut for applying the "AND" operator to your search.

Click on another instance of "500". Splunk removes the term from your search string and your search results include all HTTP results again:

Now, alt-click on "200" in any search result (option-click for Mac, alt-shift-click for some popular *nix windows managers).

Splunk now updates your search with "NOT 200"; This is a shortcut for applying the "NOT" operator.

Follow a relationship

While you scroll through the list of results, you may find interesting events. For example, if you want to look only at activity on one particular IP address:

• click on an IP address (option-click on a Mac).
• Check Wrap results to turn on line-wrapping for the long single line events that result from searches.

Now, your results are a chronological list of events that occurred on this IP address. You can use this to trace a sequence on events. This is an effective way to follow relationships between events.

Use the timeline

The timeline shows bars and a red line (or flag). The bars indicate the volume of search results and when they occur along the span of your time range.

You can change the time range with the drop-down menu:

• Choose Custom.
• Specify a start and end time.

You can also customize the time range by clicking on any bar in the timeline and zooming in on a particular cluster of events:

• Set the time range to "Last month".
• Execute the search for all sampledata.

Notice that each bar is equivalent to one day of data.

• Click on the bar in the timeline showing the cluster of data.
• Click Zoom in.
• Repeat the last two actions to narrow the time range until you see a few more bars in the cluster of data.

Notice that each bar is equivalent to one minute of data.

• Shift-click or drag your mouse across all of the bars and zoom in further.

Note: The red flag marks the location of the results you are currently viewing along the timeline. As you scroll through your search results, the red flag shifts to follow.

The timeline now spans several minutes, with one bar equal to one second.

Note: Your Splunk instance will perform faster if you narrow the time range of your search. Searching over all time may result in slow search performance.