Scribd
Upload
20 views

Splunk Web Search Interface

The document discusses the web search interface for Splunk. It describes how users can interact with search results by clicking on different parts of events, such as segments, metadata, or links. Clicking performs actions like searching or restricting searches based on the clicked term. It also explains how to select multiple consecutive segments using mouse clicks and options for changing Splunk's segment selection handling, like treating segments separated by periods as minor versus spaces as major.

Uploaded by

Neil P
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
20 views

Splunk Web Search Interface

The document discusses the web search interface for Splunk. It describes how users can interact with search results by clicking on different parts of events, such as segments, metadata, or links. Clicking performs actions like searching or restricting searches based on the clicked term. It also explains how to select multiple consecutive segments using mouse clicks and options for changing Splunk's segment selection handling, like treating segments separated by periods as minor versus spaces as major.

Uploaded by

Neil P
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Splunk > Web search interface 04/10/2023, 10:06

The Wayback Machine - https://web.archive.org/web/20070228065846/http://www.splunk.com:80/doc/latest/user/userweb

Table of Contents Previous: Splunk Base | Next: Command Line Interface

For Splunk Server(s):


2.1
2.2

Web search interface


Nearly everything in Splunk's interface is clickable, especially inside your search results. Try clicking around the search and results
pages on prodemo.splunk.com to see where it takes you. Don't worry, there's no way to accidentally delete, modify or corrupt our
demo data by playing with it.

Mouse Clicks
You can perform these click actions on any part of an event in your search results - segments, meta data such as
sourcetype::syslog , and links such as Similar.

Search for term: click


Restrict the current search further by the clicked term: Ctrl-click (On Macs, cmd-click)
Remove term from current search: Ctrl-click it again (On Macs, cmd-click)
Search for negative term (e.g. NOT apache): Alt-click (On Macs, option-click)
Add negative term (e.g. NOT apache) to search: Ctrl-alt-click (On Macs, cmd-option-click)

Ctrl-Alt-click
The fastest way to find obscure events is to start with a simple, broad search and then remove terms that don't match using Ctrl-Alt-
click. (On Macs, cmd-option-click.) It's just like adding grep -v pipes onto the end of a Unix grep command. As you filter out more
and more event types, hosts, source types, or terms inside the events, the hard-to-find events you're looking for will emerge.

Segment Selection
Roll your cursor over the different parts of an event in your search results. You'll see individual segments - character strings treated
as single entities in the index - highlight as you pass over them. Matching segments in other events will also highlight. If you click a
segment, it will submit a new search.

You can change Splunk's handling of segment selection with the menu option Preferences -> Segment Selection above the Splunk
box. There are five settings, described below.

Full
Splunk's default configuration treats segments separated by periods and other punctuation as minor segments and those separated
by spaces as major segments. If you search for a term that appears as a minor segment, it will be highlighted on your results page.
But when you roll over it to click it, the entire major segment it belongs to will highlight.

One example is worth a thousand words: Search for com and then roll your mouse over any Web domain names that appear in
your results. See how you can add or remove whole domains from your search with one click. It's faster than typing into the box
again and again, yet you can still do so whenever you prefer to.

https://web.archive.org/web/20070228065846/http://www.splunk.com/doc/latest/user/userweb#MouseClicks Page 1 of 2
Splunk > Web search interface 04/10/2023, 10:06

To select multiple consecutive segments in an event, such as the hour and minute in a timestamp ( 17:30 :01) or the subnet section
of an IP address ( 18.7 .1.151), place your mouse at the leftmost segment and mouse over the subsequent segments to the right.
Each segement will highlight in yellow as you pass over it. To select the entire major segment, i.e. the entire address or timestamp,
place your mouse at the rightmost end instead.

Outer
This setting forces Splunk to always highlight the longest possible segment, such as a complete email address. It's equivalent to
mousing from the rightmost end in Full mode.

Inner
This setting forces Splunk to always highlight the shortest possible segment, such as .com in an email address. It's equivalent to
mousing from the leftmost end in Full mode.

Raw
In this mode, Splunk does no segment selection. Clicking on an IP address will do nothing.

Full with Pyramids


Same as Full , but Splunk will draw grouping boxes around segments. The result looks like a topological map, with segments
stacked in pyramid-like formations to show how they are grouped.

Table of Contents Previous: Splunk Base | Next: Command Line Interface

Comments
No comments have been submitted.

https://web.archive.org/web/20070228065846/http://www.splunk.com/doc/latest/user/userweb#MouseClicks Page 2 of 2

You might also like