Splunk 3.4.2 is the latest version. Only use this page with older Splunk 2.0.x.
Splunk User Manual (Splunk v2.0)
Splunk Search Interface
Segment Selection
Roll your cursor over the different parts of an event in your search results. You'll see individual segments—character strings treated as single entities in the index—highlight as you pass over them. Matching segments in other events will also highlight. If you click a segment, it will submit a new search. See the section on Clicking for details.
You can change Splunk's handling of segment selection with the menu option Preferences -> Segment Selection above the Splunk box. There are five settings, described below.
Full
Splunk's default configuration treats segments separated by periods and other punctuation as minor segments and those separated by spaces as major segments. If you search for a term that appears as a minor segment, it will be highlighted on your results page. But when you roll over it to click it, the entire major segment it belongs to will highlight.
One example is worth a thousand words: Search for com and then roll your mouse over any Web domain names that appear in your results. See how you can add or remove whole domains from your search with one click. It's faster than typing into the box again and again, yet you can still do so whenever you prefer to.
To select multiple consecutive segments in an event, such as the hour and minute in a timestamp (17:30:01) or the subnet section of an IP address (18.7.1.151), place your mouse at the leftmost segment and mouse over the subsequent segments to the right. Each segement will highlight in yellow as you pass over it. To select the entire major segment, i.e. the entire address or timestamp, place your mouse at the rightmost end instead.
Outer
This setting forces Splunk to always highlight the longest possible segment, such as a complete email address. It's equivalent to mousing from the rightmost end in Full mode.
Inner
This setting forces Splunk to always highlight the shortest possible segment, such as .com in an email address. It's equivalent to mousing from the leftmost end in Full mode.
Raw
In this mode, Splunk does no segment selection. Clicking on an IP address will do nothing.
Full with Pyramids
Same as Full, but Splunk will draw grouping boxes around segments. The result looks like a topological map, with segments stacked in pyramid-like formations to show how they are grouped.
No comments have been submitted.