About the Search app
The Search & Reporting app, referred to as the Search app, is the application that you use to search and create reports on your data.
The following sections describe the views and elements that comprise the Search app.
Open the Search app
To open the Search app, from Splunk Home click Search & Reporting in the Apps panel. This opens the Search Summary view in the Search & Reporting app.
The Search summary view
Before you run a search, the Search summary view displays the following elements:
- App bar
- Search bar
- Time range picker
- Search icon
- The Search mode menu
The Search History panel
The How to Search panel
A few additional elements might be available depending on whether you are working in Splunk Enterprise or Splunk Cloud Platform, and depending on whether your Splunk platform deployment supports the Search Processing Language, version 2 (SPL2). SPL2 is available in Splunk Cloud Platform and Splunk Enterprise instances that are installed on Linux machines.
Splunk Enterprise only
The How to search panel includes an additional option called Data Summary, which shows a summary of the data that is uploaded to the Splunk instance and that you are authorized to view.
There is also an additional panel called Analyze Your Data with Table Views. You can use the options in this panel to prepare data without using the Search Processing Language (SPL).
Splunk Cloud Platform only
Under the Search bar, there is a workload management menu. You can use this menu to specify which pool to run your search in or choose to use a policy-based pool. The policies are defined in the Workload Management app.
SPL2 only
-
The Modules tab in the App bar
-
The language picker
-
The conversion button
-
The Search, transform, and analyze data using SPL2 panel, which replaces the Analyze Your Data with Table Views panel in Splunk Enterprise.
The following image shows the Search Summary view in a Splunk Enterprise instance that supports SPL2.
| Number | Element | Description |
|---|---|---|
| 1 | App bar |
Navigate between the different views in the application you are in. For the Search & Reporting app the views are: Search, Datasets, Reports, Alerts, Dashboards, and Modules. |
| 2 | Language picker |
Specify whether to search using SPL or SPL2. The setting in the language picker cannot be changed directly after you run your search, or if you open the search by selecting Open in search from a report. In these scenarios, you can only change the language from SPL to SPL2 by selecting Convert to SPL2. If you want to change the language from SPL2 to SPL, you must select Close and start over with a new search. |
| 3 | Conversion button |
Convert a search from SPL to SPL2. This button is available only when the language picker is set to SPL and the Search bar contains a search. |
| 4 | Search bar |
Specify your search criteria. |
| 5 | Time range picker |
Specify the time period for the search, such as the last 30 minutes or yesterday. The default is Last 24 hours. |
| 6 | Search icon |
Run the search specified in the Search bar. |
| 7 | Splunk AI Assistant for SPL icon | Use Splunk AI Assistant for SPL to write, understand, interpret, and optimize SPL searches using natural language. Note: The Splunk AI Assistant for SPL application must be activated before you can use the AI assistant for your searches. |
| 8 | Search mode menu |
Use the search mode menu to provide a search experience that fits your needs. The modes are Smart (default), Fast, and Verbose. |
| 9 | Search history |
Review a list of the searches that you have run. The search history appears after you run your first search, and only shows previous searches for the selected language. For example, if the language picker is set to SPL2, then the search history shows previous SPL2 searches but not previous SPL searches. |
| 10 | How to Search |
Use the links to learn more about how to start searching your data using SPL, as well as get a summary of the data that you have access to. |
| 11 | Search, transform, and analyze data using SPL2 |
Use the links to learn more about how to start searching your data using SPL2, and to open the SPL2 module editor in a new browser tab. |
Data summary
The Data Summary dialog box displays the following tabs:
- Hosts
- Sources
- Sourcetypes
These tabs represent searchable fields in your data. Selecting a host, source, or source type from the Data Summary dialog box is a great way to see how your data is turned into events.
Host
The host of an event is the host name, IP address, or fully qualified domain name of the network machine from which the event originated. In a distributed environment, you can use the host field to search data from specific machines.
Source
The source of an event is the file or directory path, network port, or script from which the event originated.
Source type
The source type of an event tells you what kind of data it is, usually based on how the data is formatted. This classification lets you search for the same type of data across multiple sources and hosts.
In this example, source types are:
- access_combined_wcookie: Apache web server logs
- secure: Secure server logs
- vendor_sales: Global sales vendors
For information about which source type is assigned to your data, see Why source types matter in the Getting Data In manual.
The New Search view
The New Search view opens after you run a search. Many of the elements from the Search summary view, such as the App bar, Search bar, and Time range picker, are still available in this view. Additionally, this view contains many more elements: search action buttons, counts of events, job status bar, and tabs for Events, Patterns, Statistics, and Visualizations.
| Number | Element | Description |
|---|---|---|
| 1 | Save As menu |
Use the Save As menu to save your search results as a report, dashboard, alert, or event type. SPL2 search results cannot be saved as event types. |
| 2 | Search action buttons |
Actions that you can perform include working with your search job, and sharing, printing, and exporting your search results. |
| 3 | Search results tabs |
The tab that your search results appear on depends on your search. Some searches produce a set of events, which appear on the Events tab. Other searches transform the data in events to produce search results, which appear on the Statistics tab. |
| 4 | Timeline |
A visual representation of the number of events that occur at each point in time. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. The timeline options are located above the timeline. You can format the timescale, or zoom in or out of a selected set of events. |
| 5 | Fields sidebar |
Displays a list of the fields discovered in the events. The fields are grouped into Selected Fields and Interesting Fields. |
| 6 | Events viewer |
Displays the events that match your search. By default, the most recent event is listed first. In each event, the matching search terms are highlighted. To change the event view, use the List, Format, and Per Page options. |
App bar
Use the App bar to navigate between the different views in the Search & Reporting app: Search, Pivot, Reports, Alerts, and Dashboards. There are entire manuals devoted to these other capabilities.
Search bar
Use the search bar to specify your search criteria in Splunk Web. Type your search string and press Enter, or click the Search icon which is on the right side of the search bar.
Time range picker
Time is the single most important search parameter that you can specify.
Use the time range picker to retrieve events over a specific time period. For real-time searches you can specify a window over which to retrieve events. For historical searches, you can restrict your search by specifying a relative time range such as 15 minutes ago, Yesterday, and so on. You can also restrict your searches using a specific date and time range. The time range picker has many preset time ranges that you can select from, but you can also type a custom time range.
For more information, see About searching with time.
Timeline
The timeline is a visual representation of the number of events that occur at each point in time in your results. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. The timeline options are located above the timeline. You can zoom in, zoom out, and change the scale of the chart.
When you click a point on the timeline or use on of the timeline options, the display of the timeline changes based on the events returned from your search. A new search is not run.
Use the Format Timeline drop-down list to hide or change the scale of the timeline.
Search actions
There are a wide range of search actions you can perform, including working with your search Jobs, saving, sharing, exporting, and printing your search results.
For more information, see:
Search mode
You can use the search mode selector to provide a search experience that fits your needs. The modes are Smart (default), Fast, and Verbose.
For more information, see Search modes.
Fields sidebar
To the left of the events list is the Fields sidebar. As events are retrieved that match your search, the Fields sidebar shows the Selected Fields and Interesting Fields in the events. These are the fields that the Splunk software extracts from your data.
When you first run a search the Selected Fields list contains the default fields host, source, and sourcetype. The default fields appear in every event.
Interesting Fields are fields that appear in at least 20% of the events.
Next to the field name is a count of how many distinct values there are in that field. Click on any field name to show more information about that field, such as a count and percentage of events that include each value.