Exploring the Search views
In Part 2, you learned about the types of data that the Splunk platform works with and uploaded the tutorial data into the index. In Part 3, you will learn about the Search app.
Find Splunk Search
- If you are not on the Splunk Home page, click the Splunk logo on the Splunk bar to go to Splunk Home.
- From Splunk Home, click Search & Reporting in the Apps panel.
This opens the Search Summary view in the Search app.
Search Summary view
The Search Summary view includes common elements that you see on other views, including the Apps bar, the Search bar, and the Time Range Picker. Elements that are unique to the Search Summary view are the panels below the Search bar: the How to Search panel and the Search History panel.
A few additional elements might be available depending on whether you are working in Splunk Enterprise or Splunk Cloud Platform, and depending on whether your Splunk platform deployment supports the Search Processing Language, version 2 (SPL2). SPL2 is available in Splunk Cloud Platform and Splunk Enterprise instances that are installed on Linux machines.
Splunk Enterprise only
The How to search panel includes an additional option called Data Summary, which shows a summary of the data that is uploaded to the Splunk instance and that you are authorized to view.
There is also an additional panel called Analyze Your Data with Table Views. You can use the options in this panel to prepare data without using the Search Processing Language (SPL).
Splunk Cloud Platform only
Under the Search bar, there is a workload management menu. You can use this menu to specify which pool to run your search in or choose to use a policy-based pool. The policies are defined in the Workload Management app.
SPL2 only
-
The Modules tab in the App bar
-
The language picker
-
The conversion button
-
The Search, transform, and analyze data using SPL2 panel, which replaces the Analyze Your Data with Table Views panel in Splunk Enterprise.
The following image shows the Search Summary view in a Splunk Enterprise instance that supports SPL2.
| Number | Element | Description |
|---|---|---|
| 1 | App bar |
Navigate between the different views in the application you are in. For the Search & Reporting app the views are: Search, Datasets, Reports, Alerts, Dashboards, and Modules. |
| 2 | Language picker |
Specify whether to search using SPL or SPL2. The setting in the language picker cannot be changed directly after you run your search, or if you open the search by selecting Open in search from a report. In these scenarios, you can only change the language from SPL to SPL2 by selecting Convert to SPL2. If you want to change the language from SPL2 to SPL, you must select Close and start over with a new search. |
| 3 | Conversion button |
Convert a search from SPL to SPL2. This button is available only when the language picker is set to SPL and the Search bar contains a search. |
| 4 | Search bar |
Specify your search criteria. |
| 5 | Time range picker |
Specify the time period for the search, such as the last 30 minutes or yesterday. The default is Last 24 hours. |
| 6 | Search icon |
Run the search specified in the Search bar. |
| 7 | Splunk AI Assistant for SPL icon | Use Splunk AI Assistant for SPL to write, understand, interpret, and optimize SPL searches using natural language. Note: The Splunk AI Assistant for SPL application must be activated before you can use the AI assistant for your searches. |
| 8 | Search mode menu |
Use the search mode menu to provide a search experience that fits your needs. The modes are Smart (default), Fast, and Verbose. |
| 9 | Search history |
Review a list of the searches that you have run. The search history appears after you run your first search, and only shows previous searches for the selected language. For example, if the language picker is set to SPL2, then the search history shows previous SPL2 searches but not previous SPL searches. |
| 10 | How to Search |
Use the links to learn more about how to start searching your data using SPL, as well as get a summary of the data that you have access to. |
| 11 | Search, transform, and analyze data using SPL2 |
Use the links to learn more about how to start searching your data using SPL2, and to open the SPL2 module editor in a new browser tab. |
New Search view
The New Search view opens after you run a search.
Some of the elements in this view might be familiar, such as the Apps bar, the Search bar, and the time range picker. Below the Search bar, are the Timeline, the Fields sidebar, and the Events view.
The New Search view in Splunk Cloud Platform and Splunk Enterprise are almost identical.
The following image shows the New Search view in a Splunk Enterprise instance that supports SPL2.
| Number | Element | Description |
|---|---|---|
| 1 | Save As menu |
Use the Save As menu to save your search results as a report, dashboard, alert, or event type. SPL2 search results cannot be saved as event types. |
| 2 | Search action buttons |
Actions that you can perform include working with your search job, and sharing, printing, and exporting your search results. |
| 3 | Search results tabs |
The tab that your search results appear on depends on your search. Some searches produce a set of events, which appear on the Events tab. Other searches transform the data in events to produce search results, which appear on the Statistics tab. |
| 4 | Timeline |
A visual representation of the number of events that occur at each point in time. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. The timeline options are located above the timeline. You can format the timescale, or zoom in or out of a selected set of events. |
| 5 | Fields sidebar |
Displays a list of the fields discovered in the events. The fields are grouped into Selected Fields and Interesting Fields. |
| 6 | Events viewer |
Displays the events that match your search. By default, the most recent event is listed first. In each event, the matching search terms are highlighted. To change the event view, use the List, Format, and Per Page options. |
Next step
Learn about specifying time ranges in your searches.
See also
View and interact with your Search History in the Search Manual
Why source types matter in Getting Data In