Search Language - Beginner Dan Plaza, Sr. Instructor
<ul><li>Getting started – Search summary view </li></ul><ul><li>Running basic searches and viewing results </li></ul><ul><...
<ul><li>Dan Plaza – Senior Instructor – Splunk </li></ul><ul><li>Splunker since November 2010 </li></ul><ul><li>Experience...
Getting started
Launching the Search App
Summary View current view global stats menus and action links time range picker data sources do it search box
Basic Searching
<ul><li>Everything is searchable </li></ul><ul><li>* wildcard supported  </li></ul><ul><li>Search terms are case insensiti...
Search Results timeline field picker timestamp event data Highlighted search terms
<ul><li>Searches return events </li></ul><ul><li>An event is single piece of data in Splunk, like a record in a log file o...
<ul><li>By default, Splunk searches over all time </li></ul><ul><li>Use the time range picker to narrow your search, or se...
<ul><li>Real-time searching allows you to view events as they come in </li></ul><ul><li>Useful in troubleshooting an activ...
Navigating Through Results
Navigating Search Results – click Click a term in the events to add it to the search
Navigating Results – Alt+Click alt+click a term in the events to remove events with that term from the results
Navigating Results – Timeline  Click a bar in the timeline to drill-down to events that occurred in that time period
Navigating Results – Timeline (cont.) Select all returns to the original timeframe You can also zoom in / zoom out to narr...
<ul><li>Select custom time from the time range picker to indicate specific date or relative time ranges </li></ul>Indicati...
Using Fields
<ul><li>Fields turn plain old log data into Splunked data </li></ul><ul><li>There are 2 types of fields </li></ul><ul><ul>...
<ul><li>Splunk identifies fields in events, including the action field </li></ul><ul><li>In these events, the action field...
Use the Field Picker remove events from results that don’t have the field create reports click on a value to add to the se...
<ul><li>This search example returns events where: </li></ul><ul><ul><li>The  sourcetype  – or type of data – is apache web...
Quick Reporting Click to generate a quick report
Saving Searches
<ul><li>1.  Click the save search icon </li></ul><ul><li>2.  Name the search </li></ul><ul><ul><li>You can also edit the s...
<ul><li>Run saved searches from the  Searches and Reports  menu </li></ul><ul><li>Lists all searches you have permission t...
<ul><li>Splunk has many powerful features and search commands that allow you to </li></ul><ul><ul><li>Calculate statistics...
August 15, 2011 Questions? Dan Plaza, Senior Instructor
Upcoming SlideShare
Loading in …5
×

Splunk .conf2011: Search Language: Beginner

2,813 views

Published on

Did you know you can do crazy useful things with Splunk’s search search language? Sort, use fields, apply wildcards – but even better, it allows you to drill-down into the results using Splunk’s Search interface timeline. This session will show some concrete examples of how to use Splunk with web access and other types of commonly-used data so you can craft simple but powerful searches based on what’s interesting in your data. Learn the basics of the Splunk search language in this beginner class, then move on to the Intermediate and Advanced classes to become a real pro.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,813
On SlideShare
0
From Embeds
0
Number of Embeds
30
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide
  • How can you leverage Splunk?
  • How can you leverage Splunk?
  • How can you leverage Splunk?
  • How can you leverage Splunk?
  • How can you leverage Splunk?
  • Splunk .conf2011: Search Language: Beginner

    1. 1. Search Language - Beginner Dan Plaza, Sr. Instructor
    2. 2. <ul><li>Getting started – Search summary view </li></ul><ul><li>Running basic searches and viewing results </li></ul><ul><li>Navigating through search results </li></ul><ul><li>Understanding and using fields in search </li></ul><ul><li>Saving searches </li></ul>Agenda
    3. 3. <ul><li>Dan Plaza – Senior Instructor – Splunk </li></ul><ul><li>Splunker since November 2010 </li></ul><ul><li>Experience in database, security, web apps and compliance standards </li></ul><ul><li>Constantly amazed by the cool stuff Splunk can do </li></ul>About Your Presenter
    4. 4. Getting started
    5. 5. Launching the Search App
    6. 6. Summary View current view global stats menus and action links time range picker data sources do it search box
    7. 7. Basic Searching
    8. 8. <ul><li>Everything is searchable </li></ul><ul><li>* wildcard supported </li></ul><ul><li>Search terms are case insensitive </li></ul><ul><li>Booleans AND, OR, NOT </li></ul><ul><ul><li>Booleans must be uppercase </li></ul></ul><ul><ul><li>Implied AND between search terms </li></ul></ul><ul><ul><li>Use () for complex searches </li></ul></ul><ul><li>Quote phrases </li></ul>Basic Search
    9. 9. Search Results timeline field picker timestamp event data Highlighted search terms
    10. 10. <ul><li>Searches return events </li></ul><ul><li>An event is single piece of data in Splunk, like a record in a log file or other data input </li></ul><ul><li>Splunk breaks up data into individual events and gives each a timestamp , host , source and source type </li></ul>Events
    11. 11. <ul><li>By default, Splunk searches over all time </li></ul><ul><li>Use the time range picker to narrow your search, or search in real time </li></ul>Selecting the Time Range
    12. 12. <ul><li>Real-time searching allows you to view events as they come in </li></ul><ul><li>Useful in troubleshooting an active issue or creating critical alerts </li></ul>Real-time Searching
    13. 13. Navigating Through Results
    14. 14. Navigating Search Results – click Click a term in the events to add it to the search
    15. 15. Navigating Results – Alt+Click alt+click a term in the events to remove events with that term from the results
    16. 16. Navigating Results – Timeline Click a bar in the timeline to drill-down to events that occurred in that time period
    17. 17. Navigating Results – Timeline (cont.) Select all returns to the original timeframe You can also zoom in / zoom out to narrow or broaden the timerange
    18. 18. <ul><li>Select custom time from the time range picker to indicate specific date or relative time ranges </li></ul>Indicating a Custom Time Range
    19. 19. Using Fields
    20. 20. <ul><li>Fields turn plain old log data into Splunked data </li></ul><ul><li>There are 2 types of fields </li></ul><ul><ul><li>Default fields – host , source , sourcetype . These fields exist for every event in Splunk. </li></ul></ul><ul><ul><li>Data-defined fields – fields that are specific to a given type of data </li></ul></ul>Fields
    21. 21. <ul><li>Splunk identifies fields in events, including the action field </li></ul><ul><li>In these events, the action field has five values </li></ul>Identify the Fields
    22. 22. Use the Field Picker remove events from results that don’t have the field create reports click on a value to add to the search ALT + click on a value to remove from a search
    23. 23. <ul><li>This search example returns events where: </li></ul><ul><ul><li>The sourcetype – or type of data – is apache weblogs </li></ul></ul><ul><ul><li>The action field has a value of purchase </li></ul></ul><ul><ul><li>The HTTP status returned was NOT 200 </li></ul></ul>Searching with Fields sourcetype=access_* action=purchase status!=200 36 events where an e-commerce purchase failed because of an HTTP error!!
    24. 24. Quick Reporting Click to generate a quick report
    25. 25. Saving Searches
    26. 26. <ul><li>1. Click the save search icon </li></ul><ul><li>2. Name the search </li></ul><ul><ul><li>You can also edit the search string and time </li></ul></ul><ul><ul><li>Optionally, share the search with other users </li></ul></ul>Saving a Search 500 OR 503 500 OR 503
    27. 27. <ul><li>Run saved searches from the Searches and Reports menu </li></ul><ul><li>Lists all searches you have permission to run </li></ul>Running a Saved Search
    28. 28. <ul><li>Splunk has many powerful features and search commands that allow you to </li></ul><ul><ul><li>Calculate statistics </li></ul></ul><ul><ul><li>Format and organize values within search results </li></ul></ul><ul><ul><li>Create compelling data visualizations and reports </li></ul></ul><ul><ul><li>And more! </li></ul></ul><ul><li>Learn about some of these features in the Search language – intermediate session </li></ul>Beyond Basic Searching
    29. 29. August 15, 2011 Questions? Dan Plaza, Senior Instructor

    ×