Splunk .conf2011: Search Language: Beginner

Search Language - Beginner Dan Plaza, Sr. Instructor

Getting started – Search summary view Running basic searches and viewing results Navigating through search results Understanding and using fields in search Saving searches Agenda

Dan Plaza – Senior Instructor – Splunk Splunker since November 2010 Experience in database, security, web apps and compliance standards Constantly amazed by the cool stuff Splunk can do About Your Presenter

Summary View current view global stats menus and action links time range picker data sources do it search box

Everything is searchable * wildcard supported Search terms are case insensitive Booleans AND, OR, NOT Booleans must be uppercase Implied AND between search terms Use () for complex searches Quote phrases Basic Search

Search Results timeline field picker timestamp event data Highlighted search terms

Searches return events An event is single piece of data in Splunk, like a record in a log file or other data input Splunk breaks up data into individual events and gives each a timestamp , host , source and source type Events

By default, Splunk searches over all time Use the time range picker to narrow your search, or search in real time Selecting the Time Range

Real-time searching allows you to view events as they come in Useful in troubleshooting an active issue or creating critical alerts Real-time Searching

Navigating Search Results – click Click a term in the events to add it to the search

Navigating Results – Alt+Click alt+click a term in the events to remove events with that term from the results

Navigating Results – Timeline Click a bar in the timeline to drill-down to events that occurred in that time period

Navigating Results – Timeline (cont.) Select all returns to the original timeframe You can also zoom in / zoom out to narrow or broaden the timerange

Select custom time from the time range picker to indicate specific date or relative time ranges Indicating a Custom Time Range

Fields turn plain old log data into Splunked data There are 2 types of fields Default fields – host , source , sourcetype . These fields exist for every event in Splunk. Data-defined fields – fields that are specific to a given type of data Fields

Splunk identifies fields in events, including the action field In these events, the action field has five values Identify the Fields

Use the Field Picker remove events from results that don’t have the field create reports click on a value to add to the search ALT + click on a value to remove from a search

This search example returns events where: The sourcetype – or type of data – is apache weblogs The action field has a value of purchase The HTTP status returned was NOT 200 Searching with Fields sourcetype=access_* action=purchase status!=200 36 events where an e-commerce purchase failed because of an HTTP error!!

Quick Reporting Click to generate a quick report

1. Click the save search icon 2. Name the search You can also edit the search string and time Optionally, share the search with other users Saving a Search 500 OR 503 500 OR 503

Run saved searches from the Searches and Reports menu Lists all searches you have permission to run Running a Saved Search

Splunk has many powerful features and search commands that allow you to Calculate statistics Format and organize values within search results Create compelling data visualizations and reports And more! Learn about some of these features in the Search language – intermediate session Beyond Basic Searching

August 15, 2011 Questions? Dan Plaza, Senior Instructor

Splunk .conf2011: Search Language: Beginner

More Related Content

Similar to Splunk .conf2011: Search Language: Beginner

Recently uploaded

Splunk .conf2011: Search Language: Beginner

Editor's Notes