Searches are the main way in which data is discovered, navigated, and understood. By limiting the data query through specifying indexes and other characterizing fields, and filtering the time period(s) of interest, users can sort for only the events of interest to them. Searches can be as specific or broad as necessary, and may even include subsearches or multisearches. By adding commands and statistical functions to a search, you can further transform events and generate statistical results.
Basic Searching in Splunk:
For a list of Example Searches which model common statistical arguments and NTerminal data types, please visit the “Example Searches and Common SPL Logic” section of the “DATA DISCOVERY” page.
Within the examples you will notice that the start of searches have an implicit
| search command which filters results to match the given criteria; each of these searches begin by specifying the index(es) of interest, and then further the fields and values for those fields. It is best practice to optimize your searches by being as specific and exact as possible and by limiting the time range to only what you need. Additionally, you will see that statistical commands which process all returned search results (like
| stats or
| timechart) should usually be used at the end of the search.
Results from a search can be visualized in tables or charts by selecting the “Visualization” tab. Users can then save visualizations as dashboard panels, reports, or print to PDF. The statisical results from a search can also be exported (please see the “Exporting Data” page for a step-by-step guide).