Splunk Basic Searches

by

Splunk is a powerful tool for searching, analyzing, and visualizing machine-generated data. Here are some basic searches you can use to get started:

  1. Simple search: Use the search bar in Splunk to enter a search term, such as “error” or “warning”. Splunk will return all events that match your search term.
  2. Search for a specific field: To search for a specific field, use the syntax “fieldname=value”. For example, “host=myserver” will return all events where the host field equals “myserver”.
  3. Boolean searches: Use Boolean operators (AND, OR, NOT) to combine multiple search terms. For example, “error OR warning” will return all events that contain either “error” or “warning”.
  4. Wildcards: Use wildcards to search for patterns in your data. For example, “error*” will return all events that begin with “error”.
  5. Time range searches: Use time range searches to limit your search to a specific time period. For example, “earliest=-1h” will return all events from the last hour.
  6. Search with regular expressions: Use regular expressions to search for complex patterns in your data. For example, “sourcetype=access_* | rex “GET /app/(?<app>\w+)” will extract the app name from all events where the sourcetype begins with “access_” and the URL path contains “/app/”.
  7. Field extraction: Use the Field Extractor in Splunk to extract fields from your data automatically. For example, if your logs contain a timestamp in the format “2022-01-01T12:00:00”, you can use the Field Extractor to create a new field for the date and time separately.

Fields sidebar Splunk:

The Fields sidebar in Splunk provides a quick and easy way to view and analyze the fields in your data. Here are some key features of the Fields sidebar:

  1. Field summary: The Field summary section provides a list of the fields in your data and the number of events that contain each field.
  2. Field values: Clicking on a field in the Field summary section will display a list of the values for that field and the number of events that contain each value.
  3. Field actions: Hovering over a field in the Fields summary section will display a set of field actions, including renaming, hiding, and highlighting the field.
  4. Field picker: The Field picker allows you to add, remove, and reorder fields in your search results.
  5. Field search: You can use the Field search bar to quickly find a specific field or group of fields in your data.
  6. Drilldown: Double-clicking on a field value in the Fields sidebar will automatically create a search that filters your results to only show events that contain that value.

The Fields sidebar can help you quickly identify and analyze the fields in your data, allowing you to more effectively search, analyze, and visualize your machine-generated data.