Splunk Basic Searches

In this section, we are going to learn about the Basic Searches in the Splunk. We will also learn about the matching string, matches searches, how to retrieve events form the index, understanding search result, timeline of the event and pattern visualization and statistics.

We build searches in this section that retrieve events from the index.

The data for this tutorial is taken from titaniac.csv file, which we have uploaded earlier while the data ingestion. The file contains the information of the peoples who were present on the titanic.

Matching Searches

The Search manager also returns matching searches, which are based on your recent searches. The list of matching searches is useful if you want to run the same search from yesterday or from a week ago. When you log out, your search history will be retained.

After you start learning the search language, the search assistant becomes more useful. The search wizard shows command information when you type search commands.

Retrieve events from the index

Let's seek to figure out how many events are there in our titanic.csv file.

You type the keywords in your search field to retrieve events that list errors or failures. If you're using several keywords, you need to define Boolean operators like AND, OR, and NOT.

The AND logical operator is implied when you type in multiple keywords.

For example, typing class is the same as typing titanic AND class.

I am setting the time zone for effective searching.

  1. Start a new search.
  2. Change the Time range to All times, which is by default 24 Hours.
  3. To search for the terms like error, fail, failure, failed, or severe, in the events.
  4. Click the Search icon present at the right of the time range picker to run the search.

For better understanding, take a look at the image below.

Splunk Basic Searches

Remember that Boolean operators must be capitalized on. The symbol asterisk (*) is used as a wildcard symbol to match loss, loss, failure, failure, etc.

Words within parentheses are given priority when evaluating Boolean expressions. NOT clauses shall be determined before the OR clauses. The lowest precedence is given to clauses AND.

Understanding search results

  • There are four tabs below the Search bar: Activities, Patterns, Statistics, and Visualization.
  • The type of search commands you are using decides what tab appears on the search results. You'll deal with the Events tab in the early portions of this tutorial. You'll later hear about the other tabs in this tutorial.
  • The tab Events displays the timeline of the events, the options list, the sidebar Fields.
  • The events appear by default as a list that is ordered, starting with the most recent event. The corresponding search words shall be highlighted in every case.
  • The choice List show displays the details in three columns about the case.

Change the display of the Events viewer.

  1. Select the Listoption and click on the Table. The change in the display is done to show the event information column, the timestamp, and columns for each of the Selected fields.
  2. Change the display back to the list.

Timeline of events

The Event Timeline is a visual representation of the number of events occurring at each point in time. There are clusters of bar patterns, as the timeline changes with the search results. The height of each bar shows the number of occurrences. Timeline peaks or valleys can signify activity spikes or server downtime. The timeline shows incident trends or peaks and lows of event activity. The choices for the timetable are above the timeline. You can zoom in, zoom out, and adjust the timeline chart's size.

Fields sidebar

  • When adding data to the Splunk platform, it indexes the data. Information is extracted from the data as part of the indexing process, and structured as name and value pairs, called fields. When you run a search, next to your search results, the fields will be marked and described in the sidebar Fields. Fields are broken down into two groups.
  • Selected fields are visible in the event results. By default, host, source, and source type appear. You can choose other fields to show in your events in your results.
  • Interesting fields are the fields that have been extracted from the events.

You can hide the field's sidebar to maximize the results area.

Patterns, Visualizations, and Statistics

The Patterns tab represents a list of the most common patterns in the collection of events that your search returns. Each of these patterns represents incidents having a common structure.

When you run a quest, the Statistics tab populates with transforming commands such as stats, top, map, etc.

The Visualization tab also fills in searches with transforming commands. The Visualizations tab results region contains a diagram and the statistics table used to create the diagram.

You'll learn how to convert commands, and use the tabs Statistics and Visualizations, later in the tutorial.

How to search in Splunk

Splunk has a new and fast searching functionality. It helps us to search the whole data set that is ingested in Splunk. We can use this feature just by clicking on the Search & Reporting option present on the left side of your Splunk platform. Click on it.

Splunk Basic Searches

After you click on this option, a new page will appear on the screen stating New Search on the top of the window.

Here we are given a search bar on the top where we can search anything we want from our uploaded database.

We will write the index and the name, as shown in the image below, that we provided in our index name while we uploaded the data in the Data Ingestion tutorial. We can press the enter button from our keyboard, or we can also click on the search icon that is present on the right end of the search bar.

Note

  • Make sure you set the time zone of the search to the All-Time as we have discussed at the starting of this tutorial under the heading Setting the time zone for effective searching.
  • It is a very important step to set the time of searching as the default feature of Splunk is that provides timestamp to every data that comes in and goes out of the Splunk.
  • Many times, it happens that we search our data in the wrong time zone due to which we are not able to get the effective result from our Splunk platform. In this time zone, we have several options with the help of which we can effectively set out the time zone. We can set it in the Real-Time, Relative Time or All time.
  • We can also set the date in our time zone option between which we want our data to be effectively searched.

As we click on the Search button after setting up the right time zone, we will get the result. The result will consist of all the data that is associated with the index named as titanic, as we can see on our screen.

Splunk Basic Searches

Combining Searching Terms

We can also search on our search bar by combining the different search perimeter's in it. But we have to make sure that the searching term must be in the same format as it is in the file or the Fields because Splunk searching is case sensitive.

Sometimes writing the string may not return the value, so we must take care that for combining the different search perimeter, we must write the search string under the double-quotes.

Splunk Basic Searches

Using the wildcard

We can also use the wild card for effective searching in our data set. We can also combine our wild card with other logical operators like AND, OR. In the search below, we are searching for all the hometowns in our data set that starts with letter P in the data set. After pressing the enter button, we get the following result of all the events on our screen. This is a list of all the peoples that are having their hometown name starting with the letter P.

Splunk Basic Searches

Refinement of Search Result

We can also refine our search results to get the optimum output from our data. We can further improve it also by just adding a string to our search space. We just need to write the string into our search bar and click on the search button to search it.

In the example below, we just want to search for the word Line in our dataset, so we just wrote Line in our search bar. Then the events returned contain the string that we searched for. For reference, you can have a look at the image below.

Splunk Basic Searches

Boom! You just learned how to search in the Splunk platform. Now go on hitting the platform and explore.






Latest Courses