Splunk Enterprise 6.0.

1
Search Tutorial
Generated: 2/03/2014 11:38 am
Copyright (c) 2014 Splunk Inc. All Rights Reserved
Table of Contents
Introduction..........................................................................................................1
Welcome to the Search Tutorial................................................................1
Part 1: Downloading and installing Splunk Enterprise....................................3
What you need for this tutorial..................................................................3
Where and which Splunk to download......................................................4
Install Splunk on Linux, Windows, or Mac OS X.......................................5
Start Splunk and launch Splunk Web........................................................7
Part 2: Getting started with Splunk Enterprise...............................................11
About Splunk Home................................................................................11
Navigating Splunk Web...........................................................................13
Part 3: Getting data into Splunk Enterprise....................................................16
About getting data into Splunk................................................................16
Get the tutorial data into Splunk..............................................................18
Part 4: Using Splunk Search.............................................................................22
About the Search dashboard..................................................................22
About the time range picker....................................................................25
About search actions and modes............................................................27
About the search results tabs..................................................................29
Part 5: Searching the tutorial data...................................................................32
Start searching........................................................................................32
Use fields to search.................................................................................34
Use the search language........................................................................39
Use a subsearch.....................................................................................43
Use field lookups.....................................................................................45
Part 6: Saving and sharing Reports.................................................................52
About saving and sharing reports...........................................................52
More searches and reports.....................................................................56
Part 7: Creating dashboards.............................................................................60
About dashboards...................................................................................60
Creating dashboards and dashboard panels..........................................61
i
Table of Contents
Next steps...........................................................................................................67
More Splunk............................................................................................67
ii
Introduction
Welcome to the Search Tutorial
Splunk Search is the primary interface for running Splunk searches and saving
reports. This Search Tutorial is written for the user who is new to Splunk
Enterprise and the the Splunk Search feature.
What's in this tutorial?
This manual guides you through adding data, searching the data, saving the
searches as reports, and creating dashboards. If you're new to Splunk Search,
this is the place to start!
Part 1: Downloading and installing Splunk Enterprise takes you
through the steps to download, install, and start Splunk on your platform.
This chapter is directed towards users who are downloading and starting
Splunk for the first time.

Part 2: Getting started with Splunk Enterprise describes Splunk Web,
which is the interface for using Splunk Enterprise and Search. Read this
chapter to familiarize yourself with Splunk Home and how to navigate the
different views in Splunk Web.

Part 3: Getting data into Splunk Enterprise walks you through adding
the tutorial data into Splunk Enterprise. The tutorial data, which is a
sample data set composed of web server and MySQL logs for a fictional
online game store, is included for download in this chapter. Follow the
detailed instructions to add this data to your Splunk instance.

Part 4: Using Splunk Search describes the parts of Splunk Web you
need to to run searches, including the search dashboards, the timerange
picker, search actions, and other options. If you've used Splunk Search in
previous releases, you should still read this chapter familiarize yourself
with new options and other changes.

Part 5: Searching the tutorial data teaches different ways to search and
includes using fields, using the search language, subsearches, and field
lookups.

Part 6: Saving and sharing reports describes the steps to save and
share your searches as reports. This chapter also includes mode search
examples.

Part 7: Creating dashboards discusses how to create dashboards
targeted to meet different business needs.

1
Make a PDF
If you'd like a PDF version of this manual, click the red Download the Search
Tutorial as PDF link below the table of contents on the left side of this page. A
PDF version of the manual is generated on the fly for you, and you can save it or
print it out to read later.
Note: Copying and pasting searches directly from the PDF document into Splunk
Web is not recommended. In some cases, doing so causes errors because of
hidden characters that are included in the PDF formatting.
2
Part 1: Downloading and installing Splunk
Enterprise
What you need for this tutorial
Before you can start this tutorial, you need to download, install, and start Splunk
Enterprise. This topic discusses the requirements you need to run Splunk on
your system and what you need to know about Splunk licenses.
If you already have access to a running Splunk server instance, you can skip
this chapter and start with Part 2: Getting started with Splunk.
System requirements
Splunk is a high-performance application that runs on most computing platforms:
Linux, Unix, Windows, and Mac OS. For this tutorial, you need a Windows or
Mac OS X computer or laptop that meets at least the following specifications:
Platform Minimum supported hardware capacity
Non-Windows platforms 1x1.4 GHz CPU, 1 GB RAM
Windows platforms Pentium 4 or equivalent at 2Ghz, 2GB RAM
Once you install Splunk on your machine, you access it using a web browser.
Splunk 6.0+ supports the latest versions of Firefox, Chrome, and Safari
browsers.
This is just a snapshot of Splunk's system requirements; for the complete list of
specifications, see the "System Requirements" topic in the Installation manual.
Splunk licenses, briefly
Splunk licenses limit the volume of data that your Splunk installation is entitled
to index in a single day. Splunk runs with either an Enterprise license or a Free
license. When you download Splunk for the first time, you get an Enterprise trial
license that expires after 60 days. This trial license entitles the server to 500
MB/day indexing and all of the Enterprise features.
3
Note: If the Enterprise trial license expires, you can switch to the perpetual Free
license - It's included! - or purchase an Enterprise license.
Read more about "Types of Splunk licenses" in the Admin Manual.
Next steps
Now that you know what you need to run Splunk on your system, continue to the
next topic to read about downloading Splunk.
Where and which Splunk to download
Splunk supports installation of most operating systems. This tutorial focuses
mainly on Linux, Windows, and Mac OS X. When necessary, the differences
between OS-specific functionality will be mentioned throughout this tutorial.
Which Splunk to download
Splunk provides three install options for Linux: an RPM download for
RedHat, a DEB package for Debian Linux, and a tar file installer. For this
tutorial, you can use any of these installers.

Splunk provides two Windows installers, an MSI file and a compressed
zip file. For this tutorial, use the MSI file graphical installer.

Splunk provides two Mac OS X installers, a DMG package and a tar file
installer. For this tutorial, use the DMG packaged graphical installer.

Where to download Splunk
Download the latest version of Splunk from the download page.
Note: If you're not logged into Splunk.com, clicking the download package will
redirect you to a registration form. If you don't already have a Splunk.com
account, sign up for one.
Next steps
Now that you've downloaded Splunk, continue to the next topic to install the
software on your machine.
4
Install Splunk on Linux, Windows, or Mac OS X
The previous topic told you where to download Splunk for Linux, Windows, or
Mac OS X. This topic provides brief install instructions for each of these
platforms.
If you run into any problems with installing Splunk Enterprise on one of these
platforms or you want to complete this tutorial on another supported OS, refer to
the "Step-by-step" installation instructions" for that platform and continue to Part
2: Getting started with Splunk.
Linux install instructions
Splunk provides 3 Linux installer options: an RPM, a DEB, and a compressed .tar
file. Below are brief installation instructions for each of these installers.
Note: You need to have access to a command line interface (CLI).
By default, Splunk installs into the /opt/splunk directory on Linux.
To install the Splunk RPM, type the following into the CLI. Use the optional
--prefix flag if you want to install Splunk into a different directory.
rpm -i --prefix=/opt/new_directory splunk_package_name.rpm
To install the Splunk DEB package, type the following into the CLI. You can
only install the Splunk DEB into the default /opt/splunk directory.
dpkg -i splunk_package_name.deb
To install Splunk using the compressed tar file, expand the file into the
appropriate directory using the tar command. The default install directory is
/splunk in the current working directory. To install into a specific directory, such
as /opt/splunk, use the -C option:
tar xvzf splunk_package_name.tgz -C /opt
For more detailed instructions for installing Splunk on Linux, refer to the
Step-by-step Linux installation instructions in the Installation manual.
5
Windows install instructions
Follow these instructions to install Splunk using the MSI graphical installer.
1. To start the installer, double-click the splunk.msi file.
2. In the Welcome panel, click Next.
3. Read the licensing agreement and check the box next to "I accept the terms in
the license agreement". Click Next to continue installing.
4. In the Customer Information, enter the requested details and click Next.
5. In the Destination Folder panel, click Change... to specify a different location
to install Splunk, or click Next to accept the default value.
Splunk is installed by default into the \Program Files\Splunk directory.
The Logon Information panel is displayed.
6. In the Logon Information panel, select Local system user and click Next.
If you want to learn about the other user option, refer to the detailed instructions
for installing Splunk on Windows.
7. After you specify a user, the pre-installation summary panel is displayed. Click
Install to proceed.
8. In the Installation Complete panel, check the boxes to Launch browser with
Splunk and Create Start Menu Shortcut now.
9. Click Finish.
The installation completes, Splunk starts, and Splunk Web launches in a
supported browser.
Mac OS X install instructions
Follow these instructions to install Splunk using the DMG graphical installer.
1. Navigate to the folder or directory where the installer is located.
2. Double-click on the DMG file.
6
A Finder window containing splunk.pkg opens.
3. In the Finder window, double-click on splunk.pkg.
The Splunk installer opens and displays the Introduction, which lists version and
copyright information.
4. Click Continue.
The Select a Destination window opens.
5. Choose a location to install Splunk.
To install in the default directory, /Applications/splunk, click on the
harddrive icon.

To select a different location, click Choose Folder...
6. Click Continue.
The pre-installation summary displays. If you need to make changes,
Click Change Install Location to choose a new folder, or
Click Back to go back a step.
7. Click Install.
Your installation will begin. It might take a few minutes.
8. When your install completes, click Finish.
The installer places a shortcut on the Desktop.
Next steps
After the install completes, continue to the next topic to start Splunk.
Start Splunk and launch Splunk Web
You've just downloaded and installed Splunk. This topic explains how to start
Splunk and launch Splunk Web.
7
About starting Splunk
When you start Splunk, you are starting two processes, splunkd and splunkweb.
splunkd is a distributed C/C++ server that accesses, processes, and
indexes streaming machine data and handles search requests.

splunkweb is a Python-based application server that provides the Splunk
Web interface that you use to search and navigate your machine data and
manage your Splunk deployment.

After you start Splunk, accept the license agreement and use a supported web
browser to access Splunk Web.
Start Splunk on Windows
After the Windows installation of Splunk completes, Splunk starts and launches
Splunk Web in a supported browsers. If this didn't happen, you have three
options to start Splunk:
Start Splunk from the Start menu.
Use the Windows Services Manager to start and stop splunkd and
splunkweb.

Open a cmd window and go to \Program Files\Splunk\bin and type
> splunk start
Start Splunk on Linux
After installing Splunk, use the Splunk CLI to start Splunk. You can simplify the
CLI access by adding a SPLUNK_HOME environment variable for the top level
installation directory and $SPLUNK_HOME/bin to your shell's path.
If you installed in the default location for Linux, your export path should look
something like this:
# export SPLUNK_HOME=/opt/splunk
# export PATH=$SPLUNK_HOME/bin:$PATH
For more information on how to access the CLI, see "About the CLI" in the Admin
manual.
Now, to start Splunk, type:
8
$SPLUNK_HOME/bin/splunk start
Accept the Splunk License
After you run the start command, Splunk displays the license agreement and
prompts you to accept the license before the startup sequence continues.
If you run into any problems starting up Splunk, see "Start Splunk for the first
time" in the Installation manual.
Other commands you might need
If you need to stop, restart, or check the status of your Splunk server, use these
CLI commands:
$ splunk stop
$ splunk restart
$ splunk status
Start Splunk on Mac OS X
In Mac OS X, you can start Splunk from the Finder. Double-click the Splunk icon
on the Desktop to launch the Splunk helper application, entitled "Splunk's Little
Helper".
Note: The first time you run the helper application, it notifies you that it needs to
perform a brief initialization. Click OK to allow Splunk to initialize and set up the
trial license.
Once the helper application loads, it displays a dialog that offers several choices:
Start and Show Splunk: This option starts Splunk and directs your web
browser to open a page to Splunk Web.

Only Start Splunk: This choice starts Splunk, but does not open Splunk
Web in a browser.

Cancel: Tells the helper application to quit. This does not affect the
Splunk instance itself, only the helper application.

Once you make your choice, the Splunk helper application performs the
requested application and terminates. You can run the helper application again to
either show Splunk Web or stop Splunk.
The Splunk helper application can also be used to stop Splunk if it is already
running.
9
Launch Splunk Web
At the very end of the startup sequence, Splunk tells you where to access Splunk
Web:
The Splunk Web interface is at http://localhost:8000
Splunk Web runs by default on port 8000 of the host on which it's installed. If you
are using Splunk on your local machine, the URL to access Splunk Web is
http://localhost:8000.
If you are using an Enterprise license, launching Splunk for the first time takes
you to this login screen. Follow the message to authenticate with the default
credentials.
If you are using a Free license, you do not need to authenticate to use Splunk. In
this case, when you start up Splunk you won't see this login screen. Instead, you
will be taken directly to Splunk Home or whatever is set as the default app for
your account.
When you sign in with your default password, Splunk asks you to create a new
password. You can either Skip this or change your password to continue.
The first page you should see is Splunk Home.
Next steps
This completes Part 1 of the Search Tutorial. Continue to Part 2: Getting started
with Splunk.
10
Part 2: Getting started with Splunk
Enterprise
About Splunk Home
Splunk Home is your interactive portal to the apps and data accessible from this
Splunk instance. The main parts of Home include a search bar and three panels:
Apps, Data, and Help.
Finding Splunk Home
If this is a new install of Splunk, Splunk Home will be the first page that you see
when you log into Splunk for the first time. Otherwise, your account may be
configured to start in another view such as Search or Pivot in the Search &
Reporting app.
You can return to Splunk Home from any other view by clicking on the Splunk
logo at the top left in Splunk Web.
11
The app search bar
This app search bar is a shortcut that lets you run a search in a specified app
context, without clicking through to the desired app. It is similar to the standard
Splunk search bar and includes a time range picker. It also includes an App
menu that allows you to select the app context in which to run your search.
Apps and workspaces
In the Apps panel, you will see workspaces for the apps that are installed on your
Splunk server that you have permission to view. The workspace displays a menu
of the views and objects in the app context. Select the App to open it or select a
content page listed in the workspace to go directly to that view.
For an out-of-the-box Splunk Enterprise installation, you will only see one App in
the workspace. When you have more than one app, you can drag and drop the
app within the workspace to rearrange them.
Also, you can discover new apps or manage existing apps by clicking on the
buttons at the bottom of the panel to:
Find more apps to install on Splunk.
Manage apps already installed on Splunk.
The Data panel
The Data panel is a shortcut to adding new data and managing your data inputs.
It also provides statistical data about events indexed by the local Splunk
Enterprise instance. Specifically, it shows how long ago data was indexed
earliest and latest and the volume of data you have in this instance.
12
When you have data in Splunk, you can see a brief summary of it here:
Click Add Data to follow the steps to get new data into Splunk.
Click Manage Inputs to view and edit existing input definitions.
The Help panel
The Help panel provides links to pages that will help you learn how to use
Splunk, including video tutorials, the Splunk Answers forums, the Splunk Support
portal, and Splunk's online documentation. Clicking on these links will open them
in a new tab or window.
Next steps
Now that you are familiar with Splunk Home, continue to the next topic to learn
how to "navigate your Splunk instance".
Navigating Splunk Web
The last topic introduced you to Splunk Home, which is the first page you see
when you log into Splunk for the first time. You're probably wondering: What
other pages are there in Splunk Web? How do you view or change the system
configurations? How do you edit account settings or log out? This is all done from
the Splunk bar, which is the black bar at the top of Splunk Web.
This topic discusses how to use the Splunk bar to navigate Splunk Web.
Use the Splunk bar
The Splunk bar, at the top of the window, lets you navigate your Splunk instance.
It is common to every page in Splunk. You can use it to switch between apps,
manage and edit your Splunk configuration, view system level messages, and
monitor the progress of search jobs.
13
Return to Home
The Splunk logo on the navigation bar returns you to Splunk Home.
Apps
The Apps menu lists all the apps that you have permission to view and run. You
can Find more apps and Manage apps from this menu, too.
Settings
The Settings menu houses all the configuration pages for Knowledge objects,
Distributed environment settings, System and licensing, Data, and Authentication
settings. If you don't see some of these options, it just means that you do not
have the permissions to view or edit them.
User menu
The User menu here is named "Administrator" because that is the default user
name for a new install. You can change this display name by selecting Edit
account. You can also change the time zone settings, select a default app for
this account, and change your password. The User menu is also where you can
Logout of Splunk.
14
Messages
All system-level error messages will be listed here. You will see a notification (in
red) when there is a new message to review.
Activity
Jobs
Click on Jobs to open the search jobs manager window, where you can view and
manage currently running searches.
Triggered alerts
Alerts that you set up will display here when they are triggered. You will see a
notification for the triggered alerts.
This tutorial does not discuss saving and scheduling alerts. For more information,
read "About alerts" in the Alerting Manual.
Help
Click on Help to see links to Video Tutorials, Splunk Answers, the Splunk
Support Portal, and online Documentation.
Next steps
Now that you are more familiar with Splunk Web, let's add some data to Splunk!
15
Part 3: Getting data into Splunk Enterprise
About getting data into Splunk
The first step in using Splunk is to feed it data: Point Splunk at a data source. Tell
it a bit about the source. That source then becomes a data input to Splunk.
Splunk begins to index the data stream, transforming it into a series of individual
events that you can view and search right away. If the results aren't exactly what
you want, you can tweak the indexing process until you're satisfied.
This topic is a brief overview of the types of data that you can add to Splunk, the
ways to get that data into Splunk, and where Splunk stores that data after you
add it.
What kinds of data?
Splunk works with any data. In particular, any and all IT streaming and historical
data. This includes stuff like event logs, web logs, live application logs, network
feeds, system metrics, change monitoring, message queues, archive files, or
anything else of interest.
The data can be on the same machine as the Splunk indexer (local data), or it
can be on another machine altogether (remote data). For more information on
local versus remote data, see "Where is my data?" in the Getting Data In Manual.
In general, you can categorize Splunk input sources as follows:
Files and directories: A lot of data you might be interested in comes
directly from files and directories.

Network events: Splunk can index remote data from any network port
and SNMP events from remote devices.

Window sources: The Windows version of Splunk includes a wide range
of Windows-specific inputs, including Windows Event Log, Windows
Registry, WMI, Active Directory, and Performance monitoring.

Other sources: Splunk also supports other input sources, such as FIFO
queues and scripted inputs for getting data from APIs and other remote
data interfaces.

For more detailed information about data and Splunk, read "What Splunk can
index" in the Getting Data In Manual.
16
How to specify data inputs
You add new types of data to Splunk by telling it about them. There are a number
of ways to do this:
Splunk Web. You can configure most inputs using the Splunk Web data
input pages. These provide a GUI-based approach to configuring inputs.
This is the method you will use to add the tutorial data into Splunk.

Apps. Splunk has a large and growing variety of apps and add-ons that
offer preconfigured inputs for various types of data sources. For more
information, see "Use apps".

Splunk's CLI. You can use the CLI (command line interface) to configure
most types of inputs. See "Use the CLI".

The inputs.conf configuration file. When you specify your inputs with
Splunk Web or the CLI, the configurations get saved in an inputs.conf file.
You can edit that file directly, if you prefer. To handle some advanced data
input requirements, you might need to edit it. See "Edit inputs.conf".

For more information on configuring inputs, see "Configure your inputs".
Where Splunk stores data
A Splunk data repository is called an index. During indexing (or event
processing), Splunk processes the incoming data stream to enable fast search
and analysis, storing the results in the index as events.
Events are stored in the index as a bunch of files that fall into two categories:
The raw data in a compressed form (rawdata).
Index files and some metadata files that point to the raw data.
These files reside in sets of directories, called buckets, organized by age. For
more information, see "How Splunk stores indexes" in the Managing Indexers
and Clusters Manual.
Splunk, by default, puts all user data into a single, preconfigured index. It also
employs several other indexes for internal purposes. You can add new indexes
and manage existing ones to meet your data requirements. See "About
managing indexes" in the Managing Indexers and Clusters Manual.
17
Next steps
Now that you're more familiar with Splunk data inputs and indexes, continue to
the next topic and add the tutorial sample data into Splunk.
Get the tutorial data into Splunk
Splunk works with any data that can be collected from files and directories,
network ports, and custom scripts. To complete this tutorial, you will upload a file
directly to Splunk.
This topic walks you through downloading the tutorial data set and adding it into
Splunk. This tutorial is designed to be completed in a matter of hours, but if you
want to spread it out over the course of a few days, just download a new sample
data file and add it.
Download the sample data file
Download but do not uncompress the tutorial data file here:
http://www.splunk.com/base/images/Tutorial/tutorialdata.zip
This tutorial data file is updated daily and shows events timestamped for the
previous 7 days.
Add the sample data into Splunk
1. Log into Splunk.
This should take you to Splunk Home. If you're not in Splunk Home, click the
Splunk logo on the Splunk bar. The logo is at the top left of the window.
2. In the Data panel, click Add data.
This opens the Add data window, which provides a list of data types and sources
that you can select from. The tutorial data is a compressed file source.
18
3. Under "Or Choose a Data Source", click From files or directories.
This takes you to the Data preview dialog, which lets you preview the data
before you add it to a Splunk index. For this tutorial, you won't need to do this. If
you're interested in reading more about data preview, refer to "Overview of data
preview" in the Getting Data In manual.
4. Select Skip preview and click Continue.
This takes you to Add data > Files & directories > Add new, where you will tell
Splunk how to access the data source.
5. Under Source, select Upload and index a file and browse for the tutorial data
file, tutorialdata.zip, that you just downloaded.
19
The source of a file or directory is the full pathname to the file or directory.
6. Select More settings.
The "More settings" option enables you to override Splunk's default settings for
Host, Source type, and Index. For this tutorial, you need to modify the host
settings to assign host names to the events based on the file's location in the
compressed file.
Select Segment in path from the menu.
Type in 1 for the segment number.
7. Click Save.
When it's finished, Splunk displays a message saying the upload was successful.
8. Return to Home.
20
The Data panel in Home now displays a summary of the data you just added. If
you don't have any other data in Splunk, it should look something like this:
The data summary will be discussed in more detail in the next chapter.
Next steps
Now that you've fed Splunk some data, it's time to learn about the Search app
and start searching the tutorial data.
21
Part 4: Using Splunk Search
About the Search dashboard
In the previous chapter, you learned about the types of data Splunk works with,
downloaded the tutorial sample data, and added the data into Splunk. This
chapter will familiarize you with Splunk Search--there are a few things to cover
before you start searching the sample data.
Find Splunk Search
If you're in Splunk Home, look for the Bubbles app and click Search. This takes
you to the Search landing page:
Before you run a search...
Before you run a search, the main parts of Search are: the search bar, the time
range picker, the How to search panel, and the What to search panel.
The search bar
Use the search bar to run your searches in Splunk Web. Just type in your search
string and hit enter or click the spyglass icon to the right of the time range picker.
The time range picker
Use the time range picker to retrieve events over a specific time period. For
real-time searches you can specify a window over which to retrieve events. For
historical searches, you can restrict your search by specifying a relative time
range (15 minutes ago, Yesterday, etc.) or a specific date and time range. The
time range picker has many preset time ranges that you can select from, but you
22
can also enter a custom time range.
The time range picker is discussed in greater detail in a later topic, "About the
time range picker".
How to search
The "How to search" panel links you to the Search Tutorial and Search Manual to
help you learn about how to write searches.
What to search
The "What to search" panel displays a summary of the data that is installed on
this Splunk instance and that you are authorized to view. To see more details
about this data, click Data Summary.
This opens up the Data Summary dialog which displays three tabs: Hosts,
Sources, Sourcetypes.
The host of an event is typically the hostname, IP address, or fully qualified
domain name of the network machine from which the event originated.
The source of an event is the file or directory path, network port, or script from
which the event originated.
23
The source type of an event tells you what kind of data it is, usually based on
how it's formatted. This classification lets you search for the same type of data
across multiple sources and hosts.
For more information about how Splunk source types your data, read "Why
source types matter" in the Getting Data In manual.
After you run a search...
Type the following into the searchbar:
buttercupgames
You're now in the New Search page. The search bar and time range picker are
still available in this view, but the dashboard updates with many more elements:
search action buttons, and search mode selector; counts of events; job status
bar; and tabs for Events, Statistics, and Visualizations.
The next topics in this chapter will discuss each of these parts of the Search view
in more detail.
24
Next steps
Continue reading to learn about restricting searches to a time range.
About the time range picker
The time range picker enables you to set time boundaries on your searches. You
can restrict the search to Preset time ranges, custom Relative time ranges, and
custom Real-time ranges or specify a Date Range or a Date & Time Range.
There are also more advanced options for specifying the time ranges for a
search.
For this tutorial, you will mostly select from the time range Presets and define
custom Relative time ranges.
Time range presets
The time range picker Presets are a set of time ranges that are defined in Splunk
out-of-the-box. As you can see, Splunk provides a wide variety of options.
By default, the time range for a search is set to All time. Usually, when you run a
search over large volumes of data, you will see faster results if you run the
search over a smaller time period. If you want to change the default time range
for your searches, see "Change the default selected time range" in the Search
Manual.
When you're troubleshooting an issue and have a ballpark range for when the
issue occurred, it helps to narrow the time of the search to that time period. For
25
example, if you're investigating an incident that occurred yesterday, you could
select Yesterday or Last 24 hours. If you're investigating an incident that
occurred 10 minutes ago, you could select Last 15 minutes or Last 60 minutes.
Custom time ranges
If one of the Presets is not what you want, you can define a custom time range,
such as a Relative time range or a Date & Time Range.
If you are interested in events in the last two hours, you can specify it with the
Relative time range option.
For example, you can specify the earliest time to read "2 Hours Ago" and latest
time to be either "now" or "Beginning of the current hour".
Additionally, you can narrow down more precisely into the time range when you
specify a Date & Time Range.
For example, if you're interested in events that occurred on September 30th at
8:42 PM. You can specify the earliest time to be 09/30/2013 08:40:00.000 and
the latest time to be 09/30/2013 08:45:00.000.
26
Next steps
Continue reading to learn about search actions and search modes.
About search actions and modes
This topic explains search actions and search modes that you can use to control
your search experience.
Control search job progress
After you launch a search, you can access and manage information about the
search's job without leaving the Search page. Once your search is running,
paused, or finalized, click Job and choose from the available options there.
You can:
Edit the job settings. Select this to open the Job Settings dialog, where
you can change the job's read permissions, extend the job's lifespan, and
get a URL for the job that you can use to share the job with others or put a
link to the job in your browser's bookmark bar.

Send the job to the background. Select this if the search job is slow to
complete and you would like to run the job in the background while you
work on other Splunk activities (including running a new search job).

Inspect the job. Opens a separate window and display information and
metrics for the search job via the Search Job Inspector.

Delete the job. Use this to delete a job that is currently running, is
paused, or which has finalized. After you have deleted the job you can still
save the search as a report.

Read more about "Saving and sharing jobs in Splunk Web" in the Knowledge
Manager Manual.
27
Change the search mode
The Search mode controls the search experience. You can set it to speed up
searches by cutting down on the event data it returns (Fast mode), or you can set
it to return as much event information as possible (Verbose mode). In Smart
mode (the default setting) it automatically toggles search behavior based on the
type of search you're running.
See "Set search mode to adjust your search experience" in the Search Manual
for more information.
Save the results
The Save as menu lists options for saving the results of a search as a Report,
Dashboard Panel, Alert, and Event type.
Other search actions
Between the job progress controls and search mode selector are three buttons
which enable you to Share, Export, and Print the results of a search.
Click Share to share the job. When you select this, the job's lifetime is
extended to 7 days and read permissions are set to Everyone.

Click Export to export the results. You can select to output to CSV, raw
events, XML, or JSON and specify the number of results to export.

Click Print to send the results to a printer that has been configured.
Additionally, use the Close button next to Save as menu to cancel the search
and return to Splunk Home.
28
Next steps
Continue to the next topic to read a brief discussion about the format of the
search results.
About the search results tabs
When you run a search, the types of search commands you use affects which
search results tab get populated. If your search just retrieves events, you can
view the results in the Events tab, but not in the other tabs. If the search includes
transforming commands, you can view the results in the Statistics and
Visualization tabs.
Events
The following search just retrieves events and populates the Events results tab:
Timeline of events: The timeline is a visual representation of the number
of events that occur at each point in time. As the timeline updates with
your search results, you might notice clusters or patterns of bars. The
height of each bar indicates the count of events. Peaks or valleys in the
timeline can indicate spikes in activity or server downtime. Thus, the
timeline is useful for highlighting patterns of events or investigating peaks
and lows in event activity. The timeline options are located above the
timeline. You can zoom in, zoom out, and change the scale of the chart.

Fields sidebar: When you index data, Splunk by default automatically
recognizes and extracts information from your data that is formatted as
name and value pairs, which we call fields. When you run a search,
Splunk lists all of the fields it recognizes in the fields sidebar next to your
search results. You can select other fields to show in your events. Also,
you can hide this sidebar and maximize the results area.

29
selected fields are fields that are set to be visible in your search
results. By default, host, source, and sourcetype are shown.

interesting fields are other fields that Splunk has extracted from
your search results.

Results area: The results area, located below the timeline, displays the
events that Splunk retrieves to match your search.
By default, the results are displayed as a list of events, ordered
from most recent. You can use the icons at the upper left of the
panel to view the results as a table (click on the Table icon) or chart
(click on the Chart icon).


Statistics
If you clicked the Statistics tab for the previous search example, you would not
see any results because it does not have any transforming commands.
With a transforming search, such as one to build a chart of the top product
categories sold at the Buttercup Games online store, the Statistics Tab displays a
table of results:
30
Visualizations
You can also view the previous example in the Visualizations tab. It displays as a
chart visualization that you can format further.
Next steps
This chapter explained to you how to use and navigate the Search dashboard,
but you won't get a feel for it until you Start searching.
31
Part 5: Searching the tutorial data
Start searching
In previous chapters, you uploaded the tutorial data file into Splunk and read
about how to use Splunk Search. In this chapter, you will start searching that
tutorial data. This topic discusses searches that retrieve events from the index.
What to search
Let's return to the Search view. To do this, click Search in the App navigation
bar.
Look at the What to search panel.
Also, re-familiarize yourself with the tutorial data, which represents a fictitious
online game store, called Buttercup Games. The tutorial data includes five hosts,
eight sources, and three source types. The three source types are Apache web
access logs (access_combined_wcookie), Linux secure formatted logs (secure),
and the vendor sales log (vendor_sales).
Most of this tutorial will cover searching the Apache web access logs and
correlating it with the vendor sales logs.
Retrieve events from the index
Searching in Splunk can be as easy as typing words into the search bar. You
have data for an online store that sells a variety of games. Let's try to find out
what types of games are sold: strategy, arcade, simulation, shooter, sports?
1. Open Splunk Search and type buttercupgames into the search bar:
32
As you typed, Splunk's Search Assistant opens and starts suggesting
completions for your search based on terms it matches in your events. Search
assistant also displays the number of matches for the search term. This number
gives you an idea of how many search results Splunk will return. If a term or
phrase doesn't exist in your data, you won't see it listed in search assistant.
Search assistant has more uses once you start learning the search language, as
you'll see later.
And, if you don't want search assistant to open, click Auto Open to remove the
check mark next to it. If you need search assistant after you turn off Auto Open,
click on the down arrow below the search bar to open it back up again. You can
toggle on or off Auto Open by clicking it.
When you run the search for buttercupgames, Splunk retrieves 36,819 events.
2. Now that you have events for the Buttercup Games data, lets search for
simulation and strategy games. To do this, you can use Boolean directives: AND,
OR, NOT. For example:
buttercupgames (simulation OR strategy)
Boolean directives must be in capital letters. The AND directive is implied
between terms, so you do not need to write it. You can use parentheses to group
terms. When evaluating boolean expressions, precedence is given to terms
inside parentheses. AND or NOT clauses are evaluated before OR clauses.
The search command
You haven't learned about search commands yet, but each time you type
keywords and phrases, you're implicitly using the search command to retrieve
events from a Splunk index(es). The search command enables you to use
keywords, phrases, fields, boolean expressions, and comparison expressions to
specify exactly which events you want to retrieve. This topic discussed searching
with keywords and boolean expressions. Later topics in the tutorial will go over
using time, fields, and the search language.
33
What's not discussed in this tutorial is using comparison expressions and
operators for exact phrase matching and using the special directives TERM() and
CASE(). Read more about these methods in "Use the search command" in the
Search Manual.
Next steps
When you're ready to proceed, go to the next topic to learn how to investigate
and troubleshoot interactively using the timeline in Splunk.
Use fields to search
The previous topics in this chapter demonstrated how to run some simple
searches just by typing in keywords, manipulating the timeline, and changing the
time range. But, you can't take full advantage of Splunk's more advanced search
features without understanding what fields are and how to use them.
Briefly, about fields
When you looked at the Data Summary in the search view, you saw a list of
Hosts, Sources, and Source types that described the type of data you added to
your Splunk index. These are also default fields that Splunk extracts from the
data during indexing--they are important because they help to specify exactly
which events you want to retrieve from the index.
What are fields?
Fields exist in machine data in many forms. Often, a field is a value (with a fixed,
delimited position on the line) or a name and value pair, where there is a single
value to each field name. A field can also be multivalued; that is, it appears more
than once in an event and has a different value for each appearance.
Some examples of fields are clientip for IP addresses accessing your Web
server, _time for the timestamp of an event, and host for domain name of a
server. One of the more common examples of multivalue fields is email address
fields. While the "From" field will contain only a single email address, the "To"
and "Cc" fields may have one or more email addresses associated with them.
For more information (and there's a lot more), read "About fields" in the
Knowledge Manager manual.
34
Extracted fields
Splunk extracts fields from event data at index-time and at search-time. Read
more about "Index time versus search time" in the Managing Indexers and
Clusters manual.
Default and other indexed fields are automatically extracted for each event that is
processed when that data is indexed. Default fields include host, source, and
sourcetype (which should be familiar to you). For a complete list of the default
fields, see "Use default fields" in the Knowledge Manager Manual.
A different set of fields are extracted at search time, when you run a search.
You'll see some examples of these searches later. For more information, read
the "Overview of search-time field extractions" in the Knowledge Manager
manual.
You can also use the Interactive Field Extractor (IFX) to create custom fields
dynamically on your local Splunk instance. IFX enables you to define any pattern
for recognizing one or more fields in your events. For more information, read how
to "Extract fields interactively with IFX" in the Knowledge Manager Manual.
Find and select fields
To search for a particular field, specify the field name and value:
fieldname="fieldvalue" . Also, field names are case sensitive, but field values
are not!
1. Go back to the Search dashboard and type the following into the search bar:
sourcetype="access_*"
This tells Splunk to only retrieve events from your web access logs and nothing
else. sourcetype is a field name and access_* is a wildcarded field value used to
match any Apache web access event. Apache web access logs may formatted
as access_common, access_combined, and access_combined_wcookie.
2. In the Events tab, scroll through the list of events.
If you're familiar with the access_combined format of Apache logs, you will
recognize some of the information in each event, such as:
IP addresses for the users accessing the website.
URIs and URLs for the pages requested and referring pages.
HTTP status codes for each page request.
35
GET or POST page request methods.
Also, these are events for the Buttercup Games online store, so other information
and keywords (such as Arcade, Simulation, productId, categoryId, purchase,
addtocart, etc) might jump out at you.
3. To the left of the events list is the Fields sidebar.
As Splunk retrieves these events, the Fields sidebar updates with Selected fields
and Interesting fields. These are the fields that Splunk extracted from your data.
Selected Fields are the fields that will display in your search results. Notice that
default fields host, source, and sourcetype are selected:
You can hide and show the fields sidebar by clicking 'Hide Fields and Show
Fields, respectively.
4. Click All Fields.
This opens the Select Fields dialog where you can edit the fields to show in the
events list.
You should see the default fields that Splunk defined--some of these fields are
based on each event's timestamp (everything beginning with date_*), punctuation
(punct), and location (index).
You should also recognize the field names that apply to the web access logs. For
example, there's clientip, method, and status. These are not default fields;
they have (most likely) been extracted at search time.
But, you should also notice other extracted fields that are related to the Buttercup
Games online store. For example, there are action, categoryId, and productId.
5. Select action, categoryId, and productId and close the Select Fields window.
36
The three fields are added under Selected Fields in the sidebar. Also, the
field/value pairs are listed under each event if it exists in the raw data for that
event.
The fields sidebar doesn't just show you what fields Splunk has captured from
your data. It also displays how many values exist for each of these fields. This
doesn't mean that these are all the values that exist for each of the fields--these
are just the values that Splunk knows about from the results of your search.
What are some of these values?
6.Under Selected Fields, click on the action field.
This opens the field summary for the action field.
This window tells you that, in this set of search results, Splunk found five values
for action. Also, it tells you that the action field appears in 49.9% of your search
results.
7.Close this window and look at the other two fields you selected, categoryId
(what types of products the shop sells) and productId (specific catalog number
for products).
Now you know a little bit more about the information in your data relating to the
Buttercup Games online shop.
8. Scroll through the events list.
37
The selected fields are displayed under your search results if they exist in that
particular event. Different events will have different fields. If click on the arrow
next to an event, it opens up the list of all fields in that event. You can use this
panel to view all the fields in a particular event and select or deselect individual
fields for an individual event.
Run more targeted searches
The following are search examples using fields.
Example1: Search for successful purchases from the Buttercup Games store.
sourcetype=access_* status=200 action=purchase
This search uses the HTTP status field, status, to specify successful requests
and the action field to search only for purchase events.
You can also search for failed purchases in a similar manner using status!=200,
which looks for all events where the HTTP status code is not equal to 200.
sourcetype=access_* status!=200 action=purchase
Example 2: Search for general errors.
(error OR failed OR severe) OR (status=404 OR status=500 OR status=503)
Note that this doesn't specify a source type. The search retrieves events in both
the secure and web access logs.
Example 3: How many simulation games were bought yesterday?
Select the Preset time range, Yesterday, from the time range picker and run:
sourcetype=access_* status=200 action=purchase categoryId=simulation
The count of events returned are the number of simulation games purchased.
If you wanted to find the number purchases for each type of product sold at the
shop, you would need to run this search for each unique categoryId. If you
wanted the number of purchases for each day of the previous week, you would
38
need to run the search again for each time range.
Or, you could use the search language.
Next steps
In Splunk, fields are searchable name/value pairings that distinguish one event
from another because not all events will have the same fields and field values.
Fields enable you to write more tailored searches to retrieve the specific events
that you want. Fields also enable you to take advantage of the search language,
create charts, and build reports.
Continue to the next topic to learn how to use the search language.
Use the search language
The searches you've run to this point have only retrieved events from your
Splunk index. You were limited to asking questions that could only be answered
by the number of events returned.
For example, in the last topic, you ran this search to see how many simulation
games were purchased:
sourcetype=access_* status=200 action=purchase categoryId=simulation
If you want to find this number for the days of the previous week, you have to run
it against the data for each day of that week. If you want to see which products
are more popular than the other, you have to run the search for each of the eight
categoryId values and compare the results.
This topic shows you how you can find these answers using the search
language.
Learn with search assistant
In the "Start searching" topic, you were briefly introduced to Splunk's search
assistant. This subsection explains in more detail one of the ways you can use
the search assistant to learn about Splunk's search language and construct
searches.
1. Return to the search dashboard and restrict your search to Yesterday:
39
sourcetype=access_* status=200 action=purchase
As you type in the search bar, search assistant opens with syntax and usage
information for the search command (on the right side). If search assistant
doesn't open, click the down arrow under the left side of the search bar.
You've seen before that search assistant displays typeahead for keywords that
you type into the search bar. It also explains briefly how to search. We've already
gone through retrieving events. Now, let's start using the search commands.
2. Type a pipe character, " | ", into the search bar.
The pipe indicates to Splunk that you're about to use a command, and that you
want to use the results of the search to the left of the pipe as the input to this
command. You can pass the results of one command into another command in a
series, or pipeline, of search commands.
You want Splunk to give you the most popular items bought at the online
store--from this list, the top command looks promising.
3. Under common next commands, click top.
Splunk appends the top command to your search string.
According to search assistant's description and usage examples, the top
command "displays the most common values of a field".
4. Either click the category_id field in the list or type it into the search bar to
complete your search:
sourcetype=access_* status=200 action=purchase | top categoryId
This populates the Statistics tab below the search bar.
40
View reports in the Statistics tab
The results of a search are reports. The top command returns a tabulated report
for the most common values of category_id. Because top is a transforming
command, this report displays in the Statistics tab.
From this, you see that strategy games are by far the most popular item in the
online store.
The top command also returns two new fields: count is the number of times each
value of the field occurs, and percent is how large that count is compared to the
total count. Read more about the top command in the Search reference manual.
View and format reports in the Visualization tab
View the report in the Visualization tab. By default, the Visualizations opens with
a Column Chart.
If you click on the visualization type selector, you can see that Column, Bar, and
Pie charts are recommended for this data set. Select Pie chart:
41
Now, you report should look like this:
You can turn on drilldown to delve deeper into the details of the information
presented to you in the tables and charts that result from your search.
If you mouse over each slice of the pie, you will see the count and percentage
values for each categoryId. Click on a slice, such as "Strategy".
This runs a new search, specifically for categoryId=strategy.
sourcetype=access_* status=200 action=purchase category_id=strategy
Read more about drilldown actions in the Splunk Data Visualizations Manual.
42
Next steps
As you run more searches, you want to be able to save them and reuse them or
share them with other people. When you're ready, proceed to the next topic to
learn how to "Save reports".
Use a subsearch
This topic walks you through examples of correlating events with subsearches.
A subsearch is a search with a search pipeline as an argument. Subsearches are
contained in square brackets and evaluated first. The result of the subsearch is
then used as an argument to the primary, or outer, search. Read more about how
subsearches work in the Search manual.
Why use a subsearch?
Let's try to find the single most frequent shopper on the Buttercup Games online
store and what this customer has purchased.
To do this, you would first search for the customer who accessed the online shop
the most.
1. Use the top command:
sourcetype=access_* status=200 action=purchase | top limit=1 clientip
Limit the top command to return only one result for the clientip. If you wanted
to see more than one "top purchasing customer", change this limit value. For
more information about usage and syntax, refer to the "top" command's page in
the Search Reference Manual.
This search returns one clientip value, which we'll use to identify our VIP
customer.
2. Use the stats command to count this VIP customer's purchases:
43
sourcetype=access_* status=200 action=purchase clientip=87.194.216.51 |
stats count, dc(productId) by clientip
This search used the count() function which only returns the total count of
purchases for the customer. The dc() function is used to count how many
different products he buys.
The drawback to this approach is that you have to run two searches each time
you want to build this table. The top purchaser is not likely to be the same person
at any given time range.
Example 2: With a subsearch
1. Use a subsearch to run the searches from Part 1 inline. Type or copy/paste in:
sourcetype=access_* status=200 action=purchase [search
sourcetype=access_* status=200 action=purchase | top limit=1 clientip |
table clientip] | stats count, dc(productId), values(productId) by
clientip
Here, the subsearch is the segment that is enclosed in square brackets, []. This
search, search sourcetype=access_* status=200 action=purchase | top
limit=1 clientip | table clientip is the same as Example 1 Step 1, except
for the last piped command, | table clientip
Because the top command returns count and percent fields as well, the table
command is used to keep only the clientip value.
These results should match the previous result, if you run it on the same time
range. But, if you change the time range, you might see different results because
the top purchasing customer will be different!
2. Reformat the results so that it's easier to read:
sourcetype=access_* status=200 action=purchase [search
sourcetype=access_* status=200 action=purchase | top limit=1 clientip |
table clientip] | stats count AS "Total Purchased", dc(productId) AS
"Total Products", values(productId) AS "Products ID" by clientip |
rename clientip AS "VIP Customer"
44
Next steps
While this report is perfectly acceptable, you can make it better still. For example,
what is actually being purchased and how much did the customer spend? The
productId field itself is not descriptive. In the next topic, you'll learn about adding
new information to your events using field lookups.
Use field lookups
This topic walks you through using field lookups to add new fields to your events.
Field lookups enable you to reference fields in an external CSV file that match
fields in your event data. Using this match, you can enrich your event data by
adding more meaningful information and searchable fields to them.
Download and uncompress the following file:
http://docs.splunk.com/images/d/db/Prices.csv.zip
Important: To complete the rest of the tutorial, you have to follow the procedures
in this topic. If you don't follow this topic, the searches in the following topics will
not produce the correct results.
Find the Lookups manager
1. In the Splunk bar, on the upper right corner, click on Settings.
2. Under Knowledge, click Lookups.
45
This opens the Lookups editor where you can create new lookups or edit existing
ones. You can view and edit existing lookups by clicking on the links in the table
for Lookup table files, Lookup definitions, and Automatic lookups. To add
new lookups, just click Add new under Actions for that lookup item.
Upload the lookup table file
In the Lookups manager:
1. Under "Actions" for Lookup table files click Add new.
This takes you to the Lookups > Lookup table files > Add new view where you
upload CSV files to use in your definitions for field lookups.
2. Leave the Destination app as search.
This tells Splunk to save your lookup table file in the Bubbles app.
3. Under Upload a lookup file, browse for the CSV file (prices.csv) to upload.
4. Under Destination filename, name the file prices.csv.
46
This will be the name you use to refer to the file in a lookup definition.
5. Click Save.
This returns you to the lookup table files list.
Note: If Splunk does not recognize or cannot upload the file, check that it was
uncompressed before you attempt to upload it again.
6. Share the lookup file globally. Under Sharing, click permissions:
This opens the Permission dialogue for the prices.csv lookup file.
7. Under Object should appear in, select "All apps".
8. Click Save.
This uploads your lookup file to Splunk to the Search app, but now you need to
define the type of lookup you want to set up.
Note: If the lookup file isn't shared, you will not be able to select it when you
define the lookup.
6. Click Lookups in the breadcrumb to return to the Lookups manager.
Define the field lookup
In the Lookups manager:
1. Under Actions for Lookup definitions, click Add New.
This takes you to the Lookups > Lookup definitions > Add new view where
you define your field lookup.
47
2. Leave the Destination app as search.
3. Name your lookup prices_lookup.
4. Under Type, select File-based.
There are two types of field lookups:
File-based lookups are ones that add fields from a static table, usually a
CSV file.

External lookups are ones that add fields from the output of an external
command, usually a Python script.

5. Under Lookup file, select prices.csv (the name of your lookup table).
6. Leave Configure time-based lookup and Advanced options unchecked.
7. Click Save.
Now Splunk knows that prices_lookup is a file-based lookup.
8. Share the lookup definition globally. Under Sharing, click permissions:
This opens the Permission dialogue for the prices.lookup.
9. Under Object should appear in, select "All apps".
48
10. Click Save.
Make the lookup automatic
In the Lookups manager:
1. Under Actions for Automatic lookups, click Add New.
This takes you to the Lookups > Automatic lookups >> Add New view where
you configure the lookup to run automatically.
2. Leave the Destination app as search.
3. Name your automatic lookup price_lookup.
4. Under Lookup table, select price_lookup.
5. Under Apply to and named, select sourcetype and type in
access_combined_wcookie.
6. Under Lookup input fields type in:
The input field is the field in your event data that you are using to match the field
in the lookup table.
49
This tells Splunk Enterprise to match the field in the lookup table (which is the
one specified on the left) with the field on the right (which is the field in your
events). In this case the field names match.
7. Under Lookup output fields, type in the following. Use the Add another field
link to add more fields after the first one:
The output fields are the field(s) in the lookup table that you want to add to your
event data based on the input field matching. Here, you are adding the fields:
price, which contains the price for each productId, and product_name, which
contains the descriptive name for each productId.
This tells Splunk Enterprise that you want to add the values of the fields from the
lookup table (which are on the left) into the fields in the events (which are on the
right). In this case, you're also renaming the field product_name to productName
and keeping the price field name the same.
8. Leave Overwrite field values unchecked.
If you check this box, Splunk will overwrite any fields that exist in your event data
with values from the corresponding field that you map to it from the lookup table.
Since you are adding two new fields, you don't need to worry about this option.
9. Click Save.
This returns you to the list of automatic lookups and you should see your
configured lookup:
10. Return to Search and run the search for web access activity:
sourcetype=access_*
When you scroll through the fields sidebar or Fields dialog, you should see the
new fields for price and productName. Click All fields and add them to the
Selected fields list:
50
Search with the new lookup fields
Now you can run the previous subsearch example to see what the VIP customer
bought. This time, replace the product_id field with the more readable
product_name:
sourcetype=access_* status=200 action=purchase [search
sourcetype=access_* status=200 action=purchase | top limit=1 clientip |
table clientip] | stats count AS "Total Purchased", dc(productId) AS
"Total Products", values(productName) AS "Product Names" by clientip |
rename clientip AS "VIP Customer"
The result is exactly the same as in the previous subsearch example, except that
the VIP customer's purchases are more meaningful and descriptive!
Don't close this just yet. In the next chapter you will walk through saving this as a
report called "VIP Customer".
Next steps
When you're ready, proceed to the next chapter to learn about saving and
sharing reports.
51
Part 6: Saving and sharing Reports
About saving and sharing reports
In the last chapter you learned the basics of searching in Splunk, and how to use
a subsearch and add field from lookup tables. You will walkthrough more search
examples in this chapter, but first, let's talk about saving and sharing the results
of a search as a report.
Save as a report
Recall the previous search example:
sourcetype=access_* status=200 action=purchase [search
sourcetype=access_* status=200 action=purchase | top limit=1 clientip |
table clientip] | stats count AS "Total Purchased", dc(productId) AS
"Total Products", values(productName) AS "Product Names" by clientip |
rename clientip AS "VIP Customer"
If you don't have the report still open, run the search again. To save it as a report:
1. Above the search bar, click Save as and select Report.
This opens the Save as Report dialog.
2. Enter a Title VIP Customer and Description (optional).
52
3. Since the report is a table, for Visualization, click None.
4. To include a Time Range Picker, click Yes.
5. Click Save.
The Your report has been created window opens.
There are other options in this window. Continue Editing lets you refine the
search and report format. You can also Add to dashboard, but this will be
covered in a later chapter. You can also click View to view the report.
Find and share saved reports
You can access your saved reports by clicking on Reports in the app navigation
bar. This opens the Reports listing page:
When you save a new report, its Permissions are set to "Private" by default. This
means that only you can view and edit the report. You can allow other apps to
view, or edit, or view and edit the reports by changing its Permissions.
To share the VIP Customers report with everyone,
1. Under Actions, click Edit and select Edit Permissions.
53
This opens the Edit Permissions dialog.
2. Next to Display for, click App and check the box under Read for Everyone.
This gives everyone who has access to this app the permission to view it.
3. Click Save.
Back at the Reports listing page, you should see the Sharing for VIP Customer
now reads App.
View and edit saved reports
From the reports listing page, click VIP Customer to open the report.
54
You saved this report with a time range picker, which is located to the top left.
The time range picker enables you to change the time period to run this search.
For example, you can use this time range picker to run this search for the VIP
Customer Yesterday, the day before, or last month just by selecting the Preset
time range or defining a custom time range. For more information on how to do
this, read "About the time range picker" earlier in this tutorial.
Other actions you can take on a saved report is Edit its properties, view More
Info, and Add to dashboard.
About report acceleration
If your search has a large number of events and is slow to complete, you may be
able to accelerate the resulting report so it completes faster when you run it
again in the future. This option is only available when the report produced by
your search qualifies for acceleration. This report does because it is based on a
transforming search.
The sample data used in this tutorial is pretty limited in volume and the searches
throughout are run against data for one day (Yesterday). Checking this box won't
have a noticeable affect on the speed of this search and all upcoming searches
you will save in this Tutorial.
Read more about report acceleration and the kinds of searches that enable
reports to qualify for report acceleration in the "Accelerate Reports" topic in the
Reporting Manual.
Next steps
Continue to the next topic to run more search examples and save more reports.
55
More searches and reports
Now, let's run through some more examples of reporting searches.
Example 1: Compare the number of views to purchases
In this example, calculate the number of views and number of purchases for each
type of product.
1. Run this search:
sourcetype=access_* status=200 | chart count AS views
count(eval(action="addtocart")) AS addtocart
count(eval(action="purchase")) AS purchases by productName | rename
productName AS "Product Name", views AS "Views", addtocart AS "Adds to
Cart", purchases AS "Purchases"
The chart command is used to count the number of events that are
action=purchase and action=addtocart. You can format the visualization as a
column chart:
Alternatively, you can use the stats command to create a table of the same
statistics, and more:
sourcetype=access_* status=200 | stats count AS views
count(eval(action="addtocart")) AS addtocart
count(eval(action="purchase")) AS purchases by productName | eval
viewsToPurchase=(purchases/views)*100 | eval
cartToPurchase=(purchases/addtocart)*100 | table productName views
addtocart purchases viewsToPurchase cartToPurchase | rename productName
AS "Product Name" views AS "Views", addtocart as "Adds To Cart",
purchases AS "Purchases"
Here, the stats command is used instead of the chart command. The eval
command is used to define new fields, which are the percentage of views and
addtocart that lead to purchases.
56
2. Click Save As and select Report.
3. In the Save Report As dialog dialog, enter a Title "Comparison of Product
Views and Purchases" and a Description "The number of times a product is
viewed, added to cart, and purchased."
4. Click Save.
Example 2: Products purchased over time
For this report, chart the number of purchases that were completed for each item.
This report requires the product_name field from the fields lookup example.
If you didn't add the lookup, refer to that example and follow the procedure.
1. Search for:
sourcetype=access_* | timechart count(eval(action="purchase")) by
productName usenull="f" useother="f"
Once again, use the count() function. But also, use the usenull and useother
arguments to make sure the chart only counts events that have a value for
productName.
This produces the following statistics table:
2. Click on the Visualizations tab.
57
If you look at the chart selection menu, notice that Line, Area, and Column
visualizations are recommended.
If you select Line and format the Y-axis and Legend, you can produce this chart:
Now see how it looks as an Area or Column chart.
4. Save the report with the Title "Purchases by Product Name" and Description
"The number of purchases for each product."
Example 3: Purchasing trends
This example uses sparklines to trend the count of purchases made over time.
For stats and chart searches, you can add sparklines to their results tables.
Sparklines are inline charts that appear within the search results table and are
designed to display time-based trends associated with the primary key of each
row. For more information, read "Add sparklines to your search results" in the
Search Manual.
58
This example requires the producName field from the fields lookup example.
If you didn't add the lookup, refer to that example and follow the procedure.
1. Run the following search:
sourcetype=access_* status=200 action=purchase | chart count AS Total
by categoryId | rename categoryId AS "Category"
This search is similar to the last two searches you just ran to build reports. It uses
the chart command to count the number of purchases, action="purchase",
made for each product, productName. The difference here is that the count of
purchases is now an argument of the sparkline() function.
2.
sourcetype=access_* status=200 action=purchase| chart sparkline(count)
AS "Purchases Trend" count AS Total by categoryId | rename categoryId AS
"Category"
3. Save this report and enter the Title (Purchasing trends) and Description (Count
of purchases with trending).
Next steps
Up to now, you've saved searches as Reports. Continue to the next topic to learn
about dashboards and how to save searches and reports as dashboard panels.
59
Part 7: Creating dashboards
About dashboards
Splunk makes it easy to interactively build and edit dashboards without writing a
single line of XML code.
Add a pivot you've just created to a new or existing dashboard: You
can jump right into dashboard creation after creating a pivot visualization
you like with the Create Dashboard Panel feature. It will guide you through
the process of creating a dashboard panel based on the search and
adding it to a new or preexisting dashboard. When you're done, you're still
in the Pivot view.

Use the Dashboard Editor to create dashboards and populate them
with dashboard panels: You can also use the Dashboard Editor to edit
existing dashboards. This method of dashboard creation is useful if you
have a set of pivot reports that you want to quickly base a set of
dashboard panels upon.

Change dashboard permissions
You can specify access to a dashboard from the Dashboard Editor. However,
your user role (and capabilities defined for that role) may limit the type of access
you can define.
If your Splunk user role is admin (with the default set of capabilities), then you
can create dashboards that are private, visible in a specific app, or visible in all
apps. You can also provide access to other Splunk user roles, such as user,
admin, and other roles with specific capabilities.
For additional information on setting up permissions for dashboards and other
knowledge objects refer to "Manage knowledge object permissions" in the Admin
manual.
Change dashboard panel visualizations
After you create a panel with the Dashboard Editor, use the Visualization Editor
to change the visualization type displayed in the panel, and to determine how
that visualization displays and behaves. The Visualization Editor only allows you
to choose from visualization types that have their data structure requirements
60
matched by the search that has been specified for the panel.
For an overview of the various visualization types offered by Splunk and
their formatting/display options, see the "Visualization reference" topic in
the Data Visualization manual.

For more information about the data structures required by of the various
visualization types see "Data structure requirements for visualizations" in
the Data Visualization manual.

Edit the XML configuration of a dashboard
Although you're not required to use XML to build dashboards, you can edit a
dashboard's panels by editing the XML configuration for the dashboard. This
provides editing access to features not available from the Dashboard Editor. For
example, edit the XML configuration to change the name of dashboard or specify
a custom number of rows in a table.
For more information about editing XML for dashboards created with the
Dashboard Editor, see "Build and edit dashboards with SimplifiedXML" in the
Developer manual.
Creating dashboards and dashboard panels
This topic walks you through saving a search as a dashboard panel and editing
the panel to add panels from saved reports.
Save a search as a dashboard panel
To save a search as a Dashboard Panel:
1. Run the following search (you might recall it from a previous topic):
sourcetype=access_* status=200 action=purchase | top categoryId
2. Click the Visualizations tab and select the Pie Chart type.
61
3. Above the search bar, click Save as and select Dashboard Panel.
This opens the Save as Dashboard Panel dialogue.
4. First, define a new dashboard to save the panel to:
For Dashboard, click New.
Enter the Dashboard Title: Buttercup Games Purchases. The
Dashboard ID will update with Buttercup_games_purchases.

Add a Dashboard Description: Reports on Buttercup Games successful
purchases data.

5. Now, you can define your dashboard panel:
Enter the Panel Title: Top Purchases by Category
Leave the Panel Powered By as Inline search.
62
6. Click Save.
The dashboard was successfully created. Now, let's take a look at it and add
more panels to the dashboard.
7. To continue, click View dashboard.
View and edit dashboard panels
After you save a dashboard, you can access it by clicking Dashboard in the app
navigation bar.
This takes you to the Dashboards listing page. From this page, you can Create a
new dashboard and edit existing dashboards. You should see the Buttercup
Games Purchases dashboard you just created.
63
If you click on the arrow under the i (information), you will see more information
about the dashboard: What app context it is in, whether or not it is scheduled,
and its permissions.
There are also quick links to edit the dashboard's Schedule and Permissions
inline with the information.
Add a saved report to the dashboard
Let's go back to the Buttercup Games dashboard.
1. Under Actions for Buttercup Games Purchases, click Edit and select Edit
Panels.
This takes you to the Buttercup Games Purchases dashboard panel editor view.
In this view, you have edit buttons: Add Panel, Add Time Range Picker, and
Edit Source.
64
2. Click Add Time Range Picker and leave the default as All time.
This time range picker will enable you to restrict all the inline searches that power
the panels to the same time range.
Let's add the another panel, one of the saved reports you created earlier, to the
dashboard.
3. Click Add Panel.
This opens the Add Panel dialog. Let's add a saved report.
4. For Content Type, click "Report" and select a saved report from the list,
Comparisons of Views, Adds to Cart, and Purchases.
5. Enter the Content Title, "Views, Adds to Cart, and Purchases".
6. Click Add Panel.
Now, when you return to the dashboard you should see two panels: "Top
Purchases by Category" and "Views, Adds to Cart, and Purchases".
While in the edit panels view, you can drag and drop a panel to rearrange it on
the dashboard.
7. Click Done.
Your dashboard should look like this:
65
Other actions you can take on a dashboard are view More Info, Export to PDF,
and Print.
Next steps
This completes the Search Tutorial. Continue to the next chapter to read about
what you can do next.
66
Next steps
More Splunk
This tutorial was a brief introduction to navigating the search interface and using
the search language. It walked you through running some basic searches and
saving the results as a report and dashboard, but it barely cut the surface of what
you can do with Splunk Enterprise. For more details refer to the following
manuals:
Search Manual: This manual explains how to search and use the Splunk
Search Processing Language (SPL?). Look here for more thorough
examples of writing Splunk searches to calculate statisitics, evaluate
fields, and report on search results.

Search Reference Manual: This manual provides a reference for the
Splunk Enterprise user who is looking for a catalog of the search
commands with complete syntax, descriptions, and examples for usage. If
you want to just jump right in and start searching, check out the Search
command cheat sheet--it's a quick guide, complete with descriptions and
examples.

Also, we encourage you to investigate the tutorial data, run more searches, and
create more dashboards! If you want to learn more about the data model and
pivot features of Splunk Enterprise, you can step through the Data Model and
Pivot Tutorial.
If you want to learn more about Splunk Enterprise features and how to use them,
check out our selection of Education videos and classes.
67