Splunk Series: Basic Search

Basic search

The search assistant provides a nice way to begin looking up for something in particular. At this stage, you can determine a few different search criteria, such as a term in particular or search directly into a specific Index.
The search assistant lets you be flexible and presents you with different options. Before the first pipe 9|), it will look at any matching term.

After the (|) sign you have the ability to start using a list of commands to help you search data, once you hover your mouse over the commands the Assistant will provide you with high-level information on how to use the command.
UntitledImage

Also as you type the Assistant will present you with different suggestions
UntitledImage

The search assistant is enabled by default in the SPL editor user preferences

UntitledImage

Viewing Search Results

Few things are important to highlight when Splunk returns a search to you

  • Matching results are returned immediately
  • Records are displayed in reverse chronological order
  • The matching terms are highlighted

Few things you can do after search results are displayed

Add items to the search right from the results

UntitledImage

Time range abbreviations that can be used in the SPL Editor
UntitledImage

Snap time to the nearest specified unit
-30m@h – In this example, the search started at 11:37:19 –> The “@” will make the search look back at 11:00:00

Time Range: Earliest and Latest
Time ranges can be specified in the search bar or editor. Few examples

earliest=-h –> Looks back 1 hour
earliest=-2d@d latest=@d –> Looks two days ago up to the beginning of the day

UntitledImage

Important highlights from the timeline

When hovering the mouse over the time-line new options display and tell you exactly the number of events per day. When clicking on a particular day the results change to highlight that particular day that you selected
Drag and drop also work if you are in need to select multiple days at a time.
UntitledImage

There are many other tips and tricks on how to use the timeline in Splunk
https://docs.splunk.com/Documentation/Splunk/latest/Search/Usethetimeline?r=searchtip

What is next?

Saving Search Jobs

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.