Search page overview for SPL2
Use the Search page in the Search & Reporting app to run standalone SPL2 searches and then analyze and visualize the results.
On the Search page of the Search & Reporting app, you can run standalone searches with a single SPL2 statement. The Search page includes a variety of features that you can use to analyze and visualize the returned data, such as detailed lists of the event fields discovered in your search results and the ability to save your search results as reports or dashboards.
To navigate to the Search page, from the Splunk Home page, select Search & Reporting in the Apps panel. By default, the Search & Reporting app opens on the Search page.
-
Refer to the screenshots in Search summary view and New Search view to become familiar with the Search page. The table under each screenshot describes the highlighted elements in the screenshot.
-
For information about keyboard shortcuts that you can use to work with SPL2 searches, see Keyboard shortcuts.
Search summary view
Before you run a search, the Search page displays the following elements:
| Number | Element | Description |
|---|---|---|
| 1 | App bar |
Navigate between the different views in the application you are in. For the Search & Reporting app the views are: Search, Datasets, Reports, Alerts, Dashboards, and Modules. |
| 2 | Language picker |
Specify whether to search using SPL or SPL2. The setting in the language picker cannot be changed directly after you run your search, or if you open the search by selecting Open in search from a report. In these scenarios, you can only change the language from SPL to SPL2 by selecting Convert to SPL2. If you want to change the language from SPL2 to SPL, you must select Close and start over with a new search. |
| 3 | Conversion button |
Convert a search from SPL to SPL2. This button is available only when the language picker is set to SPL and the Search bar contains a search. |
| 4 | Search bar |
Specify your search criteria. |
| 5 | Time range picker |
Specify the time period for the search, such as the last 30 minutes or yesterday. The default is Last 24 hours. |
| 6 | Search icon |
Run the search specified in the Search bar. |
| 7 | Splunk AI Assistant for SPL icon | Use Splunk AI Assistant for SPL to write, understand, interpret, and optimize SPL searches using natural language. Note: The Splunk AI Assistant for SPL application must be activated before you can use the AI assistant for your searches. |
| 8 | Search mode menu |
Use the search mode menu to provide a search experience that fits your needs. The modes are Smart (default), Fast, and Verbose. |
| 9 | Search history |
Review a list of the searches that you have run. The search history appears after you run your first search, and only shows previous searches for the selected language. For example, if the language picker is set to SPL2, then the search history shows previous SPL2 searches but not previous SPL searches. |
| 10 | How to Search |
Use the links to learn more about how to start searching your data using SPL, as well as get a summary of the data that you have access to. |
| 11 | Search, transform, and analyze data using SPL2 |
Use the links to learn more about how to start searching your data using SPL2, and to open the SPL2 module editor in a new browser tab. |
New Search view
After you run a search, the Search page displays the New Search view with the following additional elements:
| Number | Element | Description |
|---|---|---|
| 1 | Save As menu |
Use the Save As menu to save your search results as a report, dashboard, alert, or event type. SPL2 search results cannot be saved as event types. |
| 2 | Search action buttons |
Actions that you can perform include working with your search job, and sharing, printing, and exporting your search results. |
| 3 | Search results tabs |
The tab that your search results appear on depends on your search. Some searches produce a set of events, which appear on the Events tab. Other searches transform the data in events to produce search results, which appear on the Statistics tab. |
| 4 | Timeline |
A visual representation of the number of events that occur at each point in time. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. The timeline options are located above the timeline. You can format the timescale, or zoom in or out of a selected set of events. |
| 5 | Fields sidebar |
Displays a list of the fields discovered in the events. The fields are grouped into Selected Fields and Interesting Fields. |
| 6 | Events viewer |
Displays the events that match your search. By default, the most recent event is listed first. In each event, the matching search terms are highlighted. To change the event view, use the List, Format, and Per Page options. |
Keyboard shortcuts
On the Search page, you can use the following keyboard shortcuts to help you develop and read your SPL2 searches.
You can use these keyboard shortcuts when working in the Search bar:
| Action | Linux or Windows | macOS |
|---|---|---|
|
Add a line break |
Shift+Enter |
Shift+Enter |
|
Add or remove comment characters ( // ) in the current row |
Control+/ |
Command+/ |
|
Undo the previous action |
Control+Z |
Command+Z |
|
Redo the previous action |
Control+Y or Control+Shift+Z |
Command+Y or Command+Shift+Z |
|
Find a term |
Control+F |
Command+F |
|
Find and replace a term |
Control+H |
Command+Option+F |
|
Copy the active row and place the copy below the active row |
Alt+Shift+Down arrow |
Command+Option+Down arrow |
|
Copy the active row and place the copy above the active row |
Alt+Shift+Up arrow |
Command+Option+Up arrow |
|
Move the active row down one row. |
Alt+Down arrow |
Option+Down arrow |
|
Move the active row up one row. |
Alt+Up arrow |
Option+Up arrow |
|
Remove the word or space to the right of the cursor. |
Control+Delete |
Control+Delete |
|
Remove the word or space to the left of the cursor. |
Control+Backspace |
Option+Delete |
You can use these keyboard shortcuts to scroll through your search history.
| Action | Linux or Windows | macOS |
|---|---|---|
|
Scroll to the previous search |
Control+Up arrow |
Command+Up arrow |
|
Scroll to the next search |
Control+Down arrow |
Command+Down arrow |