Splunk 3.4.2 is the latest version. Only use this page with older Splunk 2.0.x.
Splunk User Manual (Splunk v2.0)
Reference Chapters
Home Page Controls
The home page contains the controls listed below.
My Account (Splunk Professional)
Click here to go to the Admin page to edit your own account.
Log Out
This one is probably self-explanatory.
Help
Connect to Splunk's live documentation at www.splunk.com
Admin
This link opens a tabbed page to manage accounts and see statistics.
Splunk Watch (or Splunk Professional Watch)
A status and statistics panel with tables of sources, events, terms, and data volume indexed by the server, plus current processes running.
Splunks
The list of Saved Splunks for the server (Splunk Server), or Saved Splunks and Live Splunks for your account (Splunk Professional.) This is where you create and edit Live Splunks. See the how-to section on Saved Splunks and Live Splunks for instructions.
Users (Splunk Professional)
A control panel through which admins can add, delete, or edit user accounts.
License (Splunk Professional)
License key information for the server. You can click to renew a license that has expired or will expire soon.
Splunk Box
The text entry area for search terms. See the Search Command Syntax for full specs.
Search button
Click this button to submit the contents of the Splunk box as a search.
Saved Splunks
This is your list of Saved Splunks (and for Splunk Professional users, Live Splunks) that you've created and saved, or that your administrator has saved for all users.
Save Splunk As...
Pops up a dialog so you can give your current search terms a name and add it to your Saved Splunks list
Manage My Splunks
Opens the Admin page to the Splunks tab.
Set/Clear Timerange
If you click the click icon in the search box, you'll find input boxes for start and end times for your search. You can adjust them with your mouse, your keyboard's arrow keys, by clicking on an event's timestamp, or by typing explicit values into them. Click one of the calendar icons to pop up an interactive calendar.
Look for the menu buttons next to START and END. These let you clear the setting or quickly select from a list of popular time settings such as 1 hour ago.
Splunks
Pops up a menu of options for saving or manipulating your current search.
Save...
Identical to the option on the Saved Splunks menu, it pops up a dialog to let you name your current set of search terms and add it to your list of Saved Splunks.
Pops up a dialog to save your current search results to a file.
Export...
Pops up a dialog that lets you open your current results in an editor or save them to your computer desktop as a file. The default filename will contain identifying terms from the search in it, e.g. splunk_access.2.log_get_xjjk_.log. Subsequent saves will have -1, -2, etc. appended to their filenames rather than overwriting existing files.
Permalink
Replaces the URL in your browser's URL window with a long, specific URL that recreates your exact search settings. You can bookmark the URL or send it to another user.
Turn Word Wrap Off/On
If your results include multi-line events with columnar data, their format may be disrupted by HTML formatting to fit your browser window. Click this link to display events without wrapping.
Index Menu (index::)
Lets you select the Splunk index to search. The free Splunk Server is limited to the three created at installation time—main, history and _internal. Splunk Professional allows an unlimited number of user indexes. See the Splunk Admin Manual section on Creating Additional Indexes for instructions to create and manage indexes.
This option corresponds to the index:: modifier in the Splunk box.
default
The main index of your data.
history
A complete list of past Splunks by all users of the server.
_internal
The Splunk Server's own logs.
Sources Indexed
A table of data about the currently selected index.
Source Types
Source types are meta data Splunk sets on individual sources—input files or streams—to identify the class of data in them. The Splunk Server and Splunk Professional are trained to recognize about forty common source types such as apache_access, linux_syslog_message, and weblogic_stdout. If Splunk loads events from a source but doesn't recognize the source type as one it knows, it sets the sourcetype parameter for those events other either too_small or UNKNOWN-1578458965 with a unique 10-digit number.
too_small
Splunk sets the sourcetype too_small on files without enough events (typically < 100) for it to definitively determine a value.
UNKNOWN-2569854367
If Splunk has gathered enough events from one source to uniquely identify its type but can't match it to a known source type, it assigns a serial 10-digit number as the sourcetype value. (The number is a hash value with no particular meaning.)
You can edit the value to anything you want by clicking the menu button next to the sourcetype:: value in the event. Your edit will apply to all events with the same sourcetype value. See the section on Renaming Source Types.
Sources
A list of all files, pipes, and any other inputs that have been loaded for the current index since it was created.
Index a file now
(This feature is not available to regular Splunk Professional users. You need an Admin account.)
Click this button to upload a file through your browser into the Splunk index.
More
This link appears when there are more Source Types or Sources than would fit on a comfortably-sized page. Click it to show the full list.
Live Splunks (Splunk Professional)
A table of currently configured Live Splunks for your account.
Help
Connect to Splunk's online documentation at www.splunk.com
File a Bug
Connect to Splunk's online support site to report a problem. We hate bugs, but we love our customers who report them!
No comments have been submitted.