• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Use Splunk Web
  • About Splunk Web
    • Dashboards
    • Preferences
    • Admin pages
  • Change Splunk Web preferences
    • Search
    • General
  • About Splunk server settings
    • View server settings
    • Control server
    • Configure authentication method
  • Change Splunk server default settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
  • CLI searches
• Add inputs
  • About inputs
    • Files and directories
    • FIFO queues
    • Network ports
  • Use Data Inputs
    • Access Data Inputs page
    • Add files and directories
    • Add FIFO queues
    • Add network ports
    • Run crawl searches
  • Use crawl
    • Run a crawl
    • Save a crawl
  • Use Live Tail
    • Use Live Tail in Splunk Web
    • The Live Tail interface
    • Start Live Tail from the Splunk CLI
    • Current limitations
• Index
  • About indexes and indexing
    • Events, segments, and fields
    • Search and indexes
  • Manage your indexes
    • View and manage indexes
    • Edit index properties
  • Create new index
    • via Splunk Web
    • via Splunk's CLI
  • Delete an index
• Search
  • Search
    • Generate search results
    • Construct searches
    • Form searches
    • Macro searches
    • Transaction searches
    • Live Tail
    • Asynchronous searches
    • CLI searches
    • Schedule and save searches
    • Tune search performance
  • Form search
    • Run a form search
  • Transaction search
    • Useful transactions
    • The transaction command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
  • Macro search
    • Configure a macro search
• Tag
  • Use tagging
    • Tag fields
    • Tag hosts or sources
    • Tag event types
    • Search for tags
    • Configure tags
    • Configure roles for tagging
• Report
  • Report
    • Report on results
    • Report on fields
    • Report with reporting commands
    • Pick different charts
    • Add a report to your dashboard
    • Summary indexing
  • Report gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Firewall (or connection) activity
    • Email activity or email transactions
  • Summary indexing
    • How summary indexing works
    • How to configure summary indexing
    • Search commands useful to summary indexing
    • General guidelines for summary indexing
    • Aggregated statistics
    • Gaps and overlaps
• Save, Schedule, and Alert
  • Save, schedule, and alert options
    • Save a search
    • Schedule the search
    • Configure an alert
    • Enable summary indexing
  • Find and manage saved searches
    • Delete or modify saved searches
    • Display saved searches on dashboard
• Use the Splunk Command Line Interface (CLI)
  • Use the Splunk CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start Live Tail
  • Search in the CLI
    • CLI Search syntax
    • Asynchronous searches (dispatch CLI command)
    • The maxresults search parameter
  • Change Splunk server default settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Search reference
  • Search syntax
    • Keyword search
    • Literals
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
    • Modifiers
    • Fields
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
• Field reference
  • Fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • Field list
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Data-generating commands
    • crawl
    • file
    • savedsearch
    • search
  • Filtering and re-ordering commands
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transforming and reporting commands
    • associate
    • chart
    • cluster
    • contingency
    • collect
    • correlate
    • diff
    • eventstats
    • format
    • highlight
    • makemv
    • mvcombine
    • mvexpand
    • nomv
    • overlap
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluating commands
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extracting commands
    • addinfo
    • extract
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
  • Unsupported search commands
    • createrss
    • dispatch
    • folderize
    • gentimes
    • idxprobe
    • load
    • map
    • outputatom
    • outputcsv
    • outputraw
    • outputtext
    • outputxml
    • page
    • rawstats
    • save
    • sendemail
    • translate
  • Deprecated search commands
    • nopartial
    • remote
    • searchps
    • select
    • streamedcsv
    • summary
    • timeline
    • uniq
• CLI command reference
  • Command Line Interface (CLI) commands
    • Syntax
    • Command list

Search results

Splunk allows you to navigate search results by following links and using interactive field filters. Filtering is an efficient method to organize the results of a search.

Events and fields

Your search results appear below the timeline as a list of events ordered by timestamp. A field is a name/value pair distinguished from the free-form indexed segments that you see in an event.

You can add and remove field filters, extract new fields from the results, and tag fields to group results.

Filter on fields

Search for all the sampledata index events:

Splunk includes three default filters in your search results: host, source, and sourcetype. These interactive field filters are drop-down menus located below the timeline.

Each field's filter menu lists (up to) 10 values, ordered by the frequency at which they occur in the search results.

Host

The host field, which lists the originating hosts of events, lets you target one specific host in the filter. The host field is stored and indexed with each raw event.

Click on the host menu.

From the list, select the first host value, http2. The search results filter to show only results for the selected host.

Let's look at another host value and add it to our search:

• To remove the first host filter, click Clear filter. The search results revert to your previous search.
• Select the next host value from the menu.
• To add this filter to your search string, click Add filter to search.

The search bar and search results update to include the host value restriction you applied, http1:

Source

The source field lists the location where an event is accessed; a file, network port, script, etc.

Sourcetype

The sourcetype field characterizes all sources that have similar formats. For example, all Apache access logs in W3C common format have the sourcetype value access_common. The sample data contains four distinct sourcetypes - syslog, access_common, db2 and websphere_activity.

Show more fields

You can include many more field filters in addition to host, source, and sourcetype, in your searches. The fields are listed in the Fields... drop-down menu.

Search for all the sampledata index events:

Let's add a couple more field filters to our search:

• To display the list of field filters, click the Fields... menu.
• Scroll through the list.
• Check eventtype and punct.
• Click Apply.

The interactive field filters list updates to include eventtype and punct menus. You can use these field filters exactly the same way you used host.

To remove a field filter menu:

• Click the Fields.. menu.
• Uncheck the fields you want to remove.
• Click Apply.

The eventtype and punct fields are discussed further in Event types.

Define custom fields

Splunk lets you interactively define and extract fields from your search results. Let's define a field to extract the IP addresses from our search for all events in sampledata.

You may need to scroll through the results or use the timeline to find events that contain an IP address.

Below the timestamp of every event is a drop-down menu. Click the down-arrow and select Extract field.

The Extract fields window opens.

Notice the panel at the top of this window:

• Sample Event lists the event that you selected from the search results.
• Example Value(s) provides a textarea for you to define the field value.

To define the IP address field for extraction:

• Highlight the IP address from your sample event. Copy and paste (or type) it into the Example Value(s) textarea.
• Click Preview.

In the Rules panel:

• Select a field to restrict your search (either host, source, or sourcetype),
• Splunk generates the regex rules to define your field.
• Splunk provides a preview of values it has extracted from your results.

Splunk also provides a preview of other events that contain your custom field. Use this Preview panel to validate the results of your field definition.

To save your custom field definition, click Save. The Save FIeld Definition dialog box opens.

• Name the field "ipaddress".
• Click Save.

Now, your custom field (ipaddress) is listed in the Fields menu. You can activate and apply your field filter in exactly the same way you used host.

Tag fields

You can tag fields to group together results that share field values. Use tagging to attach a name, or tag, to a group of results that share the same value of a field, event type, host, or source. You can apply as many tags as you want to a single field, event type, host, or source. A tag cannot contain spaces.

• To access the tagging dialog, click Tag field name in the drop-down menu of any field in your search results.
• To apply a tag to the field you selected, type a tag name into the Tags field.
• To apply multiple tags, enter a space-delimited list of tag names in the Tags field.

Note: Tags that you create for a field are displayed in italics next to that field name in your search results.

Collect snapshots

Splunk allows you to save your results in a "Snapshot Container" that houses your collection. Each snapshot includes an image of the time graph and your search string.

You can add and remove snapshots from your collection. However, after adding a snapshot, you cannot modify the time graph within the container.

If you want to modify a snapshot in your collection:

• In the Snapshot Container, click Restore search.
• Modify your graph.
• Click Snapshot.

Your modified graph has been added to your snapshot collection.