• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Use Splunk Web
  • About Splunk Web
    • Dashboards
    • Preferences
    • Admin pages
  • Change Splunk Web preferences
    • Search
    • General
  • About Splunk server settings
    • View server settings
    • Control server
    • Configure authentication method
  • Change Splunk server default settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
• Add inputs
  • About inputs
    • Files and directories
    • FIFO queues
    • Network ports
  • Use Data Inputs page
    • Access Data Inputs page
    • Run crawls
    • Add files and directories
    • Add FIFO queues
    • Add network ports
  • Use crawl
    • Run a crawl
    • Save a crawl
• Index
  • About indexes and indexing
    • Events, segments, and fields
    • Search and indexes
  • Manage your indexes
    • View and manage indexes
    • Edit index properties
  • Create new index
    • via Splunk Web
    • via the CLI
  • Delete an index
• Search
  • Splunk search
    • Generate search results
    • Construct searches
    • Types of search
    • Save and schedule searches
    • Tune search performance
  • Form search
    • Run a form search
  • Transactions
    • Example use cases
    • The transaction search command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
  • Macro search
    • Configure a macro search
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Tag
  • About tags
    • Search for extracted fields associated with tags
    • Configure tags
    • Configure roles for tagging
  • Tag field values (including: event types, hosts, and sources)
    • Tag hosts or sources
    • Tag event types
    • Methodologies for host and event type tag management
  • Manage tags with tagcreate and tagdelete
    • Create tags with tagcreate
    • Disable tags with tagdelete
  • Alias a source type
    • Add/edit a source type alias
• Report
  • Run reports
    • Report on results
    • Report on fields
    • Report using reporting commands
    • Choose different charts
    • Add a report to your dashboard
    • Summary indexing
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
  • Summary indexing
    • How summary indexing works
    • Configure summary indexing
    • Search commands useful to summary indexing
    • General guidelines for summary indexing
    • Aggregated statistics
    • Gaps and overlaps
• Save, Schedule, and Alert
  • Save, schedule, and set alerts
    • Save a search
    • Schedule a search
    • Configure an alert
    • Enable summary indexing
  • Find and manage saved searches
    • Delete or modify saved searches
    • Display saved searches on dashboard
• Use the Splunk Command Line Interface (CLI)
  • About Splunk's CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Examples of CLI search
    • Dispatched searches
    • CLI search parameters
  • CLI commands
    • Syntax
    • Command list
  • Change default Splunk server settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Search reference
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
  • Search cheatsheet
    • Add fields
    • Convert fields
    • Filter and order fields
    • Filter results
    • Order results
    • Group results
    • Classify events
    • Change display formatting
    • Generate data
    • Report
    • Administrative
    • Subsearch
• Field reference
  • About fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • List of default fields
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Generate data
    • crawl
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transform and report
    • associate
    • chart
    • cluster
    • contingency
    • collect
    • correlate
    • diff
    • eventstats
    • format
    • highlight
    • makemv
    • mvcombine
    • mvexpand
    • nomv
    • overlap
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extract
    • addinfo
    • extract (kv)
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
  • Unsupported search commands
    • createrss
    • dispatch
    • folderize
    • gentimes
    • idxprobe
    • inputcsv
    • load
    • map
    • outputatom
    • outputcsv
    • outputraw
    • outputtext
    • outputxml
    • page
    • rawstats
    • save
    • sendemail
    • tagcreate
    • tagdelete
    • tags
    • tagset
    • translate
  • Deprecated search commands
    • nopartial
    • remote
    • searchps
    • select
    • streamedcsv
    • summary
    • timeline
    • uniq

About Splunk Web

Splunk Web is Splunk's dynamic and interactive graphical user interface. It runs off of the splunkweb process, which is a Python-based application server. Use Splunk Web to search your IT data and manage your Splunk deployment. Access Splunk Web via a Web browser. Refer to the system requirements for our list of supported operating systems and browsers.

Splunk Web contains the search bar, dashboards, and configuration pages. You can run a custom search from any of the dashboards. Access the Preferences panel and the Admin pages with links on the top right corner of the dashboards, above the search bar. Access different dashboards from a drop-down menu located under the search bar and on the right.

Dashboards

Dashboards are customizable pages in Splunk Web. You can add and remove components to and from each dashboard. These components may be lists of all indexed data, snapshots of different saved searches, or a list of saved searches.

Splunk ships with three default dashboards: getting started, main, and admin.

Getting started dashboard

The getting started dashboard is the default landing page for Splunk Web. It provides information and links to help new users learn how to use Splunk. There are many upcoming changes to the getting started dashboard.

In 3.3, the buttons for indexing data take you to the index manager:

• Clicking Index Files redirects you to the Admin > Data Inputs: Files & Directories: New Input page. You can enter Source, Host, and Source Type information to define local or remote files and directories to index.
• Clicking Index More Data redirects you to the Admin > Data Inputs: All page. You can select the type data to configure and add to your inputs.

Read more about the index manager and adding inputs.

Main dashboard

The main dashboard provides default modules, which include:

• Lists of all indexed data, sorted by Sources, Sourcetypes, and Hosts.
• A timeline of errors in the last hour.
• A list of saved searches.

Admin dashboard

The admin dashboard provides charts that report information a Splunk administrator may find useful:

• Messages by minute in the last 3 hours.
• The volume of data (KB/hr) over the last 24 hours.
• The number of Splunk errors over the last 24 hours.
• The daily indexing volume by server.

Custom dashboard

Instead of editing the default dashboards, we recommend creating a new dashboard to customize.

• From the dashboard drop-down menu, select create new dashboard... to name your new dashboard and add it to Splunk Web.
• Use the Edit options, located next to the drop-down menu, to select the saved searches or reports you want to add to a dashboard.
• Use the Delete option, located next to the drop-down menu, to remove one or more dashboard from Splunk Web.

You can customize the layout of your dashboard by editing prefs.conf. Refer to the Developer Manual for Customized Dashboard examples.

Preferences

Use the Preferences panel to configure Splunk Web's default search properties and general appearance and behavior. For more information, read Change Splunk Web preferences.

Search

Use the Search preferences tab to define:

• The default time range; You can always change the timerange from the dashboard.
• A maximum limit for the number of events Splunk indexes when you search.
• How Splunk Web handles segmentation.

Note: Splunk Web's segmentation setting affects how the browser interacts with Splunk and may speed up the display of search results. This setting should not be confused with indexing segmentation.

General

Use the General preferences tab to define:

• A default theme for Splunk Web. If you want to customize Splunk Web's appearance, refer to the Developer manual.
• Click behavior. You can click on sections of your search results to add or replace terms in your search. "Click behavior" configures either ctrl or ctrl-click to add and replace when narrowing your search.

Admin pages

In 3.3, when you click on the Admin link, to the top right of the page, the Server settings page opens. Instead of navigating a tabbed menu layout, you now access the Admin pages from a list located on the left side of the page. Click on the top-level section names to view the pages included in that section. You have access to the same pages as before (Server, Data Inputs, Distributed, Users, Saved Searches, and License & Usage) with the addition of Indexes and Applications.

Server

Use the Admin > Server pages to view and change server settings, restart the Splunk server, and change and reload Splunk's authentication method. Read more About Splunk server's settings and changing Splunk server's settings.

Data Inputs

Use the Admin > Data Inputs pages to add new and edit existing inputs in Splunk Web. You can view and manage all of your files and directories, FIFO queues, network ports, and crawls from this page. Read more About Inputs and using the Data Inputs page to add inputs.

Indexes

Use the Admin > Indexes pages to view a list of your indexes, edit individual index properties, and add new indexes. Read more About Indexes.

Applications

Use the Admin > Applications pages to manage existing applications and browse SplunkBase for new applications to install. Read more About Applications.

Distributed

Use the Admin > Distributed pages to view your network topology and configure search distribution, data forwarding, and data receiving between multiple Splunk instances. Read more About Data Distribution.

Note: You can only set up forwarding from this page if you are running Splunk with a Free license. To configure distributed search and data receiving, you must have an Enterprise license.

Users

Use the Admin > Users page to view a list of users and their search history, edit each user's properties, and add new users. Read more about Users and User Roles.

Note: You cannot access this page if you are running Splunk with a Free license; you must have an Enterprise license to modify user's properties.

Saved Searches

Use the Admin > Saved Searches page to view a list of your saved searches and edit their properties, create new searches, or delete existing searches. Read more about Managing saved searches.

License & Usage

Use the Admin > Licenses & Usage pages to view view your current license and replace it with a new one. This page displays the type of license you're running, the maximum indexing volume allowed, and when the license expires. This page also provides some useful statistics, such as: number of days before you need to renew, the peak usage in GB/day, and peak percentage. Read more About Licenses.