8 Basic Search Everything is searchable ! * wildcard supported ! Search terms are case insensiHve ! Booleans AND, OR, NOT – Booleans must be uppercase – Implied AND between search terms – Use () for complex searches ! Quote phrases fail* fail* nfs error OR 404 error OR failed OR (sourcetype=access_*(500 OR 503)) "login failure"
10 Events ! Searches return events ! An event is single piece of data in Splunk, like a record in a log ﬁle or other data input ! Splunk breaks up data into individual events and gives each a *mestamp, host, source and source type 10
11 SelecHng the Time Range ! By default, Splunk searches over all Hme ! Use the Hme range picker to narrow your search, or search in real Hme
12 Real-‐Hme Searching ! Real-‐Hme searching allows you to view events as they stream into Splunk ! Useful in troubleshooHng an acHve issue or creaHng criHcal alerts
20 What are Fields? ! Gives more focus to your searches ! There are 2 types of ﬁelds: – Default ﬁelds – host, source, sourcetype. These ﬁelds exist for every event in Splunk. – Data-‐deﬁned ﬁelds – ﬁelds speciﬁc to a given type of data
21 Discovering Fields ! Splunk extracts ﬁelds from events, for example, the acHon ﬁeld ! In this set of events, the acHon ﬁeld has ﬁve values
22 remove events fromresults that don’thave the fieldcreate reportsclick on a value toadd to the searchALT + click on a valueto remove from asearchUse the Field Sidebar
23 Searching with Fields ! This search example returns events where: – The sourcetype – or type of data – is apache weblogs – The ac*on ﬁeld has a value of purchase – The HTTP status returned was NOT 200 sourcetype=access_* action=purchase status!=20072 events where an e-commerce purchase failed because ofan HTTP error!!
24 Quick ReporHng Click to generate aquick report
Beyond the Basics 29 ! Splunk has many powerful features and search commands that allow you to – Create Alerts – Capture and share knowledge – Calculate staHsHcs – Format and organize values within search results – Create compelling data visualizaHons and reports – And more! ! Learn about these features in Splunk Educa*onal oﬀerings (shameless plug)