Uploaded bySplunk
SplunkLive! Washington DC May 2013 - Search Language Beginner
This document provides an agenda and overview for a beginner Splunk search language training. The agenda includes getting started, basic searching, navigating search results, using fields, saving searches, and next steps. It describes the presenter's experience and provides guidance on basic search concepts like wildcards, booleans, phrases, timestamps, and events. It demonstrates how to navigate results through clicking terms, the timeline, and custom time ranges. It also shows how to discover and search using fields as well as save and run saved searches. Finally, it suggests next steps in learning more advanced Splunk features and provides options for additional training.
More Related Content
Similar to SplunkLive! Washington DC May 2013 - Search Language Beginner
![[DevFest Strasbourg 2025] - NodeJs Can do that !!](https://cdn.slidesharecdn.com/ss_thumbnails/devfeststrasbourg2025-nodejscandothat-251127142731-da65b6fd-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-aifortheunderdogsinnovationforsmallbusinesses-251124030839-72a599a4-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...](https://cdn.slidesharecdn.com/ss_thumbnails/md-craftingimmersiveuiwithe2eandagslshaderveronicaputrianggraini-251124030840-0c677f44-thumbnail.jpg?width=640&height=640&fit=bounds)
SplunkLive! Washington DC May 2013 - Search Language Beginner
- 1. Copyright © 2013 Splunk Inc. Search Language -‐ Beginner Dan Plaza, Senior Instructor
- 2. Agenda GeEng Started Basic Searching NavigaHng through Results Using Fields Saving Searches Next Steps 2
- 3. About Your Presenter ! Senior Instructor ! Splunker since November 2010 ! Experience in database, security, web apps and compliance standards ! Constantly amazed by the cool stuff Splunk can do 3
- 4.
- 5. 5 Launching the Search App
- 6. 6 Summary View current view global stats menus and action links time range picker data sources search search box
- 7.
- 8. 8 Basic Search Everything is searchable ! * wildcard supported ! Search terms are case insensiHve ! Booleans AND, OR, NOT – Booleans must be uppercase – Implied AND between search terms – Use () for complex searches ! Quote phrases fail* fail* nfs error OR 404 error OR failed OR (sourcetype=access_*(500 OR 503)) "login failure"
- 9. 9 Search Results timeline field sidebar timestamp event data Highlighted search terms
- 10. 10 Events ! Searches return events ! An event is single piece of data in Splunk, like a record in a log file or other data input ! Splunk breaks up data into individual events and gives each a *mestamp, host, source and source type 10
- 11. 11 SelecHng the Time Range ! By default, Splunk searches over all Hme ! Use the Hme range picker to narrow your search, or search in real Hme
- 12. 12 Real-‐Hme Searching ! Real-‐Hme searching allows you to view events as they stream into Splunk ! Useful in troubleshooHng an acHve issue or creaHng criHcal alerts
- 13.
- 14. 14 NavigaHng Search Results – Click Click a term in the events to add it to the search
- 15. 15 NavigaHng Results – Alt+Click alt+click a term in the events to remove events with that term from the results
- 16. 16 NavigaHng Results – Timeline Click a bar in the timeline to drill-down to events that occurred in that time period
- 17. 17 NavigaHng Results – Timeline (cont.) These are not functional unless part of the timeline is selected You can also zoom out to broaden the time range
- 18. 18 IndicaHng a Custom Time Range ! Select custom Hme from the Hme range picker to indicate specific date or relaHve Hme ranges
- 19.
- 20. 20 What are Fields? ! Gives more focus to your searches ! There are 2 types of fields: – Default fields – host, source, sourcetype. These fields exist for every event in Splunk. – Data-‐defined fields – fields specific to a given type of data
- 21. 21 Discovering Fields ! Splunk extracts fields from events, for example, the acHon field ! In this set of events, the acHon field has five values
- 22. 22 remove eventsfrom results that don’t have the field create reports click on a value to add to the search ALT + click on a value to remove from a search Use the Field Sidebar
- 23. 23 Searching with Fields ! This search example returns events where: – The sourcetype – or type of data – is apache weblogs – The ac*on field has a value of purchase – The HTTP status returned was NOT 200 sourcetype=access_* action=purchase status!=200 72 events where an e-commerce purchase failed because of an HTTP error!!
- 24. 24 Quick ReporHng Click to generate a quick report
- 25.
- 26. 26 Saving a Search 1. Click the Save menu 2. Select Save Search… 3. Name the search – You can also edit the search string and Hme – OpHonally, share the search with other users tag="webfarm"
- 27. 27 Running a Saved Search ! Run saved searches from the Searches and Reports menu ! Lists all searches you have created or have permission to run
- 28.
- 29. Beyond the Basics 29 ! Splunk has many powerful features and search commands that allow you to – Create Alerts – Capture and share knowledge – Calculate staHsHcs – Format and organize values within search results – Create compelling data visualizaHons and reports – And more! ! Learn about these features in Splunk Educa*onal offerings (shameless plug)
- 30. Learn More Cool Stuff 30
- 31. Akend a Free Class 31
- 32.
- 33. Build Your Own Learning Lab 33 Download the Splunk Enterprise Trial & build your own sandbox
- 34.