Basic Searching in Splunk Enterprise

Introduction

This tutorial provides a step-by-step guide on performing basic searches in Splunk Enterprise. It covers how to use the timeline, the time range picker, and how to interact with fields in the Splunk Search & Reporting app. Mastering these skills is essential for effectively analyzing and visualizing your data in Splunk.

Step 1: Accessing the Search & Reporting App

• Open your Splunk Enterprise instance in a web browser.
• Log in with your credentials.
• From the Splunk home screen, navigate to the "Search & Reporting" app. This is where you will perform your searches.

Step 2: Performing a Basic Search

• In the search bar at the top, enter your search query. For example:

  index=main sourcetype=access_combined
  

• Hit "Enter" to execute the search.
• Review the results displayed below the search bar. You can see the events listed chronologically.

Step 3: Using the Time Range Picker

• To refine your search based on time, locate the time range picker located at the top right of the search window.
• Click on the time range selector and choose from predefined options (e.g., Last 15 minutes, Last hour) or set a custom range by selecting "Custom."
• Once you’ve set your desired time range, click "Apply."

Step 4: Utilizing the Timeline

• After running your search, you can visualize the results using the timeline feature.
• The timeline is displayed below the search bar. It provides a graphical representation of the events over time.
• Hover over the timeline to see specific counts or click on segments to filter your results further.

Step 5: Working with Fields

• In the left sidebar, you'll see a list of fields extracted from your search results.
• Click on any field to view its values. For example, clicking on "status" will show you the different HTTP status codes returned in your logs.
• You can use fields to refine your searches. For instance, you can add a filter to your search query:

  index=main sourcetype=access_combined status=404
  

Step 6: Saving and Sharing Your Searches

• After conducting a search, you may want to save it for future use. Click on the "Save As" button at the top right.
• Choose "Report" or "Dashboard Panel" depending on your needs.
• Name your search and provide a description, then save it.

Conclusion

In this tutorial, you learned how to navigate the Splunk Search & Reporting app, perform basic searches, utilize the time range picker, visualize data using the timeline, and work with fields effectively. These foundational skills will aid you in data analysis and help you make informed decisions based on your findings. For further learning, explore more advanced search commands and data visualization options within Splunk.