It would be remiss in a blog on Splunk searching without at least mentioning the 6.0 version dashboard.
The Search dashboard
If you take a look at the Splunk search dashboard (and you should), you can break it down into 4 areas
- Search Bar. The search bar is a long textbox that you can enter your searches into when you use Splunk Web.
- Range Picker. Using the (time) range picker you set the period over which to apply your search. You are provided with a good supply of preset time ranges that you can select from, but you can also enter a custom time range.
- How-To. This is a Splunk panel that contains links you can use to access the Search Tutorial and the Search Manual.
- What-To. This is another Splunk panel that displays a summary of the data that is installed on this Splunk instance.
The New Search Dashboard
After you run a new search, you’re taken to the New Search page. The search bar and time range picker are still available in this view, but the dashboard updates with many more elements, including search action buttons, a search mode selector, counts of events, a job status bar, and results tabs for Events, Statistics, and Visualizations.
Generally Speaking
All searches in Splunk take advantage of the indexes that where setup on the data that you are searching. Indexes exist in every database, and Splunk is not an exception. Splunk’s indexes organize words or phrases in the data over time. Successful Splunk searches (those that yield results) return records (events) that meet your searching criteria. The more matches you find in your data (the more events Splunk returns) will impact the overall searching performance so it is important to be as specific in your searches as you can.
Before I “jump in”, the following are a few things worth alerting you to:
- Search terms are case insensitive.
- Search terms are additive
- Only the time frame specified is queried
- Search terms are words, not parts of words
Splunk Quick Reference Guide
To all of us future Splunk Masters, Splunk has a (updated for version 6.0) Splunk Language Quick Reference Card available for downloading in PDF format from the company website:
www.splunk.com/web_assets/pdfs/secure/Splunk_Quick_Reference_Guide.pdf.
I recommend you having a look!
To Master Splunk, you need to master Splunk’s search language, which includes an almost endless array of commands, arguments and functions. To help with this, Splunk offers its searching assistant.
The Splunk searching assistant uses “typahead” to “suggest” search commands and arguments as you are typing into the search bar. These suggestions are based on the content of the datasource you are searching and are updated as you continue to type. In addition, the searching assistant will also display the number of matches for the search term, giving you an idea of how many search results Splunk will return.
The image below shows the Splunk searching assistant in action. I’ve typed “TM1” into the search bar and Splunk has displayed every occurrence of these letters it found within my datasource (various Cognos TM1 server logs) along with a “hit count”:
The search assistant uses Python to perform a reverse-url-lookup to return description and syntax information as you type. You can control the behavior of the searching assistant with UI settings in the Search-Bar module, but it is recommended that you keep the default settings and use it as a reference.