Splunk-6 5 7-SearchTutorial

Splunk® Enterprise
Search Tutorial 6.5.7

Generated: 9/06/2022 5:17 pm
Copyright (c) 2022 Splunk Inc. All Rights Reserved

Table of Contents
Introduction...........................................................................................................................................................................1
About the Search Tutorial..........................................................................................................................................1
Part 1: Getting started..........................................................................................................................................................3

What you need for this tutorial...................................................................................................................................3
Install Splunk Enterprise............................................................................................................................................5
Launch Splunk Web...................................................................................................................................................7
Navigating Splunk Web...........................................................................................................................................10
Part 2: Uploading the tutorial data....................................................................................................................................14

About uploading data...............................................................................................................................................14
What is in the tutorial data?.....................................................................................................................................16
Upload the tutorial data............................................................................................................................................17
Part 3: Using the Splunk Search App...............................................................................................................................21

Exploring the Search views.....................................................................................................................................21
Specifying time ranges............................................................................................................................................25
Part 4: Searching the tutorial data....................................................................................................................................29

Basic searches and search results..........................................................................................................................29
Use fields to search.................................................................................................................................................33
Use the search language.........................................................................................................................................40
Use a subsearch......................................................................................................................................................45
Part 5: Enriching events with lookups..............................................................................................................................49

Enabling field lookups..............................................................................................................................................49
Search with field lookups.........................................................................................................................................58
Part 6: Creating reports and charts..................................................................................................................................62

Save and share your reports...................................................................................................................................62
Search, chart, and report examples.........................................................................................................................66
Part 7: Creating dashboards..............................................................................................................................................76

About dashboards....................................................................................................................................................76
Create dashboards and panels................................................................................................................................77
Add more panels to dashboards..............................................................................................................................84
Additional resources..........................................................................................................................................................91
Additional resources................................................................................................................................................91
i
Introduction
About the Search Tutorial

The Search & Reporting application (Search app) is the primary interface for using the Splunk software to run searches,
save reports, and create dashboards. This Search Tutorial is for users who are new to the Splunk platform and the Search
app.
Use this tutorial to learn how to use the Search app. Differences between Splunk Enterprise and Splunk Cloud Platform
are specified throughout this tutorial.
You might see minor differences between the screen shots in this tutorial and the screens in your Splunk software
deployment. Some of the screen shots might show a previous version of the Search app, but these minor differences
will not impact your successful completion of the tutorial.
Already have access to Splunk software?
For this tutorial, use a free Trial version of the Splunk software.
Why? Because this tutorial uses a specific set of data to ensure consistency in your search results and the features that
you are learning about. In the tutorial, you will upload this tutorial-specific data to the Splunk platform. You might not have
permission to upload data in your production, work environment. Additionally, using a free Trial version of the software
ensures that the tutorial data is not mixed in with your work data.
The Trial version of the software converts to a Free version after 30 days. If you have a Free version of the Splunk
software, some of the features, such as changing Preferences in the User account menu, are not available. See About
Splunk Free in the Admin manual.
The steps for downloading a free Trial version of Splunk Enterprise or Splunk Cloud Platform are described in the tutorial.
What's in this tutorial?
You will learn how to use the Search app to add data to your Splunk deployment, search the data, save the searches as
reports, and create dashboards. If you are new to the Search app, this tutorial is the place to start.
How to use this tutorial
Each Part in the Search Tutorial builds on the previous Part. For example, the searches that you create in Part 5 are used
to create reports and charts in Part 7. It is important that you don't skip any Part.
• Part 1: Getting started

• Part 2: Uploading the tutorial data
• Part 3: Using the Splunk Search app
• Part 4: Searching the tutorial data
• Part 5: Enriching events with lookups
• Part 6: Creating reports and charts
• Part 7: Creating dashboards
1
Using the PDF version of the tutorial
You can copy and paste search strings or regular expressions directly into the Search & Reporting App from this online
tutorial in your web browser.
Do not copy and paste search strings or regular expressions directly from the electronic PDF into the Search app. Pasting
data from the PDF can cause errors in searches, because of hidden characters that are included in the PDF formatting.
See also sections
At the end of most of the topics in this tutorial is a section called See also. These sections contain links to Splunk
documentation that is related to the information discussed in that topic.
Additional resources
See Additional resources at the end of this tutorial for information about:
• The Splunk community

• Links to Quick Reference information
• Links to the Splunk documentation
• How to provide feedback
Next step
To get started, continue to What you need for this tutorial.
2
Part 1: Getting started
What you need for this tutorial

You need to create a Splunk.com account, access the free Trial version of the Splunk software, and download the tutorial
data files. There might be other prerequisites, depending on which Splunk platform you use.
Create a splunk.com account
You need a splunk.com account to download the free Trial version of the Splunk software. Creating an account is free. If
you do not already have a Splunk.com account, you need to create an account. If you already have an account, you need
to log in to that account.
1. In a separate browser window, go to https://www.splunk.com/.

♦ Use CTRL+click on the link to open the web site in a new browser tab.
♦ By using a separate browser tab, you will keep this open this tab with the Search Tutorial instructions.
You can switch back and forth between the browser tabs.
2.
In the upper right corner of the window, click the Splunk Account icon .
If you are already logged in, your name appears next to the icon.
♦ To create an account, click Sign Up and complete the registration information.

♦ To log in to an existing account, click Login.
Choose a platform
You can use this tutorial with a Trial version of Splunk Cloud or Splunk Enterprise. The main difference in the Trial
versions is the length of the license.
Splunk Cloud
When you start a Splunk Cloud Trial, you have access to Splunk Cloud for 15 days. The Trial license includes all
of the features in Splunk Cloud, and access to select premium applications and add-ons. You can index up to
5GB of data each day.
After 15 days, the access to your Splunk Cloud Trial expires.
Splunk Enterprise
When you download Splunk Enterprise for the first time, you get a Splunk Enterprise Trial license for 60 days.
This trial license includes all of the features in Splunk Enterprise, and access to all premium applications and
add-ons. You can index up to 500MB of data each day.
After 60 days, the Enterprise Trial license converts to a perpetual Free license and some of the features, such as
user preferences, authentication, and alerting are disabled. The Free license also includes the 500MB daily
indexing volume, but there is no expiration date. See About Splunk Free in the Admin manual.
System requirements
Ensure that your computer meets the system requirements for your chosen platform.
3
Splunk Cloud
You must have a web browser. The latest versions of Chrome, Firefox, and Safari browsers are supported with
Splunk Cloud.
Splunk Enterprise
You can use Splunk Enterprise on Linux, Windows, or macOS. For this tutorial, your computer must meet the
specifications listed in the following table.
Requirement Minimum supported hardware capacity

Non-Windows platforms 2-core 64-bit CPU at 2GHz or greater, 4GB RAM
Windows platforms 2-core 64-bit CPU at 2GHz or greater, 4GB RAM
Web browser The latest versions of Chrome, Firefox, and Safari browsers are supported.
Download the tutorial data files
This tutorial uses a fictitious game store, called Buttercup Games, that sells games and related items in an online store.
You must download several data files to use with the tutorial. The data files contain web access log files, secure formatted
log files, sales log files, and a price list in a CSV file.
If you use the Safari browser, under Preferences > General, ensure that the Open "safe" files after downloading option
is unchecked. The tutorialdata.zip file must be compressed to upload the file successfully.
1. Download the tutorialdata.zip file. Do not uncompress the file.

2. Download the Prices.csv.zip file. Do not uncompress the file at this time.
Access the Trial version of the Splunk software
For this tutorial, use the latest version of the software.
If you downloaded the Splunk Enterprise Trial software previously, download the Trial software again. It is possible that
your Splunk Enterprise Trial license converted to a Free license. The Free license has some limitations that will not
allow you to complete all parts of this tutorial.
1. Go back to the tab in your browser for the Splunk web site, https://www.splunk.com/.
2. In the upper right corner of the window, click Free Splunk.
3. Choose the platform you want to use and click on the link to download the Trial software.
Splunk Cloud
1. Confirm that you are not a robot.

2. Click Start Trial.
3. A confirmation page appears stating "Your Splunk Cloud Trial is Ready!". Click View My Instance.
You will also receive an email with the URL to your Splunk Cloud Trial and other useful information.
4
4. Accept the Terms of Service. Splunk Cloud should open in a browser window.
5. See Next step.
Splunk Enterprise
1. Identify the installer that you want to use with the tutorial.
Operating
For this tutorial Available installers
system
Use the MSI file graphical installer that is 2 installers. An MSI file for 64-bit and an MSI file for
Windows
appropriate for you computer. 32-bit.
Use the file that is appropriate for your Linux 3 installers. A RPM package, a DEB package, and a
Linux
distribution. compressed TAR (.tgz) file.
2 installers. A compressed TAR (.tgz) file installer and a

macOS Use the DMG packaged graphical installer.
DMG package.
2. Click Download Now next to that installer.
3. See Next step.
Next step
The next step depends on the Splunk platform that you are using.
Splunk Cloud
Splunk Web should launch automatically. The email you receive about your Splunk Cloud Trial contains the
username and password that you can use to access Splunk Cloud. The default username is sc_admin.
If you see a window welcoming you to the Splunk Cloud Trial and inviting you to Drop your data file here, close
that window. You will upload the tutorial data In Part 2. For now, go to Navigating Splunk Web.
Splunk Enterprise
You must install Splunk Enterprise.
See also
System Requirements in the Installation Manual

Types of Splunk licenses in the Admin Manual
Install Splunk Enterprise

You can install Splunk Enterprise on the following operating systems.
• Linux installation instructions

• Windows installation instructions
• Mac OS X installation instructions
5
For other installers or other supported operating systems, see the step-by-step installation instructions for that platform.
After installing Splunk Enterprise, you can continue to Navigating Splunk Web.
Linux installation instructions
Splunk Enterprise provides three Linux installer options: an RPM, a DEB, or a .tar file.
Prerequisite
You must have access to a command-line interface (CLI). When you type in the installation commands, replace
splunk_package_name with the file name of the Splunk Enterprise installer that you downloaded.
Install the Splunk Enterprise RPM
You can install the Splunk Enterprise RPM in the default directory /opt/splunk, or in a different directory.
1. Use the CLI to install Splunk Enterprise.

♦ To install into the default directory, type rpm -i splunk_package_name.rpm.
♦ To install into a different directory, add the --prefix flag to the installation command.
For example, type rpm -i --prefix=/opt/new_directory splunk_package_name.rpm.
2. Go to the steps to Start Splunk Enterprise and launch Splunk Web.
Install the Splunk Enterprise DEB package
You can install the Splunk Enterprise DEB only into the /opt/splunk directory.
1. In the CLI, type dpkg -i splunk_package_name.deb.

2. Go to the steps to Start Splunk Enterprise and launch Splunk Web.
Install the Splunk Enterprise tar file
For the tar file, the default install directory is splunk, in the current working directory. You can install Splunk Enterprise into
a specific directory, such as /opt/splunk, by using the -C option.
1. Expand the file into a specific directory using the tar command. To expand into the /opt/splunk directory, type
tar xvzf splunk_package_name.tgz -C /opt in the CLI.
2. Go to Start Splunk Enterprise and launch Splunk Web.
Windows installation instructions
1. Navigate to the folder or directory where the installer is located.

2. Double-click the splunk.msi file to start the installer.
3. In the Welcome panel, click Next.
4. Read and accept the License Agreement.
5. Click Install.
6. In Customer Information, type the requested details and click Next.
7. In the Destination Folder panel, click Change to specify a different location, or click Next to accept the default
value.
Splunk Enterprise is installed by default into the \Program Files\Splunk directory.

8. In the Logon Information panel, select Local system user and click Next.
6
For other user options, see the instructions for Install on Windows in the Installation Manual.
9. After you specify a user, the preinstallation summary panel appears. Click Install.
10. In the Installation Complete panel, select the Launch browser with Splunk and Create Start Menu Shortcut
check boxes.
11. Click Finish.
The installation finishes, Splunk Enterprise starts, and Splunk Web launches in a browser window.
Continue with the tutorial with Navigating Splunk Web.
Mac OS X installation instructions
1. Navigate to the folder or directory where the installer is located.

2. Double-click the DMG file.
A Finder window that contains the splunk.pkg opens.

3. Double-click the Install Splunk icon to start the installer.
4. The Introduction panel lists version and copyright information. Click Continue.
5. The License panel lists shows the software license agreement. Click Continue.
6. You will be asked to agree to the terms of the software license agreement. Click Agree.
7. In the Installation Type panel, click Install. This installs Splunk Enterprise in the default directory
/Applications/splunk.
8. You will be prompted to type in the password for your computer.
9. When the installation finishes, a popup appears letting you know that an initialization must be performed. Click
OK.
10. A popup appears asking what you would like to do. Click Start and Show Splunk. The login page for Splunk
Enterprise opens in your browser window.
11. Close the two windows to Install Splunk.
The installer places a shortcut on the Desktop so that you can launch Splunk Enterprise from your Desktop any
time.
12. Go to Start Splunk Enterprise and launch Splunk Web.
Next step
Start Splunk Enterprise and launch Splunk Web
See also
Install on Linux in the Installation Manual.
Launch Splunk Web

These steps apply only to Splunk Enterprise. If you're using Splunk Cloud, go to Navigating Splunk Web.
After you download and install the software, you must start Splunk Enterprise and launch Splunk Web.
• Start Splunk Enterprise on Linux

• Start Splunk Enterprise on Windows
• Start Splunk Enterprise on Mac OS X
7
Start Splunk Enterprise on Linux
After you install Splunk Enterprise, use the Splunk CLI to start Splunk Enterprise.
Prerequisite
You need to understand how to access the CLI. See About the CLI in the Admin Manual.
Steps
1. Simplify the CLI access by adding a SPLUNK_HOME environment variable for the top-level installation directory, and
adding $SPLUNK_HOME/bin to your shell's path.
If you installed in the default location for Linux, then your export path looks like this:
# export SPLUNK_HOME=/opt/splunk
# export PATH=$SPLUNK_HOME/bin:$PATH
If you installed in another location, use that path for the SPLUNK_HOME environment variable.
2. In the CLI, to start Splunk Enterprise type $SPLUNK_HOME/bin/splunk start
3. Accept the Splunk Enterprise license.
After you run the start command, Splunk Enterprise displays the license agreement and prompts you to
accept the license before the startup sequence continues.
Troubleshooting: If you have problems starting Splunk Enterprise, see Start Splunk Enterprise for the
first time in the Installation Manual.
4. Go to Login to Splunk Web.
Useful CLI commands
If you need to stop, restart, or check the status of your Splunk Enterprise server, use these CLI commands:
$ splunk stop
$ splunk restart
$ splunk status
Start Splunk Enterprise on Windows
After the Windows installation finishes, Splunk Enterprise starts and opens Splunk Web in a supported browser.
1. If Splunk Enterprise does not start, use one of the following options to start it.
♦ Start Splunk Enterprise from the Start menu.
♦ Use the Windows Services Manager to start Splunk Enterprise.
♦ Open a cmd window, go to \Program Files\Splunk\bin, and type splunk start.
Start Splunk Enterprise on Mac OS X
In Mac OS X, you can start Splunk Enterprise from the Finder.
8
1. Double-click the Splunk icon on your desktop to launch the Splunk helper application, called Splunk's Little
Helper.
The first time you run the helper application, it notifies you that it needs to perform an initialization.
2. Click OK for Splunk Enterprise to initialize and set up the trial license.
3. After the helper application opens, select Start and Show Splunk. This option starts Splunk Enterprise and
directs your web browser to open a page to Splunk Web.
You can also use the helper application to stop Splunk Enterprise.
Login to Splunk Web
At the end of the startup sequence, a message appears about where to access Splunk Web:
The Splunk Web interface is at http://localhost:8000

Splunk Web runs by default on port 8000 of the host on which it is installed. If you use Splunk Enterprise on your local
machine, the URL to access Splunk Web is http://localhost:8000.
Using an Enterprise license
If you are using an Enterprise license, when you launch Splunk Enterprise for the first time, this login screen appears.
Follow the screen instructions to authenticate with the default credentials.
username: admin
password: changeme
When you sign in with the default password, you can either create a password, or click Skip to continue to use the default
password.
The first page you see is Splunk Home.
Using a Free license
If you are using a Free license, you do not need to authenticate to use Splunk Enterprise. When you start Splunk
Enterprise you do not see this login screen. Instead, you go directly to Splunk Home or whatever is set as the default app
for your account.
9
Next step
You have downloaded the tutorial data files and installed Splunk Enterprise.
Continue to Navigating Splunk Web.
Navigating Splunk Web

Splunk Web is the primary interface for searching, problem investigation, reporting on results, and administrating Splunk
deployments.
About Splunk Home
Splunk Home is the initial page in Splunk Web. Splunk Home is an interactive portal to the data and applications that you
can access from this Splunk Enterprise instance. The main parts of the Splunk Home page are the Apps panel, the
Explore Splunk panel, and the Splunk bar.
The following image shows the Splunk Home page for Splunk Enterprise. Splunk Cloud has a similar Home Page.
Apps panel
The Apps panel lists the applications that are installed on your Splunk instance. The list shows only the apps that you
have permission to view.
When you first open Splunk Web, you see Search & Reporting in the Apps panel. The Search & Reporting app is
sometimes referred to as simply the Search app. There might be other apps listed on the Apps panel if other applications
are installed on your computer.
Explore Splunk panel
The Explore Splunk panel contains links to pages where you can get help.
Splunk Enterprise
You can take a product tour, add data, browse for new apps, or access the documentation.
10
Splunk Cloud
You can take a product tour or access the documentation that is used the most.
Splunk bar
The Splunk bar appears on every page in Splunk Web. You use this bar to switch between apps, configure your Splunk
deployment, view system-level messages, and monitor the progress of search jobs.
1. Click Search & Reporting.
When you are in an app, the Application menu is added to the Splunk bar. Use this menu to switch
between apps.
Splunk Enterprise
The following image shows the Splunk bar in Splunk Enterprise.
Splunk Cloud
The following image shows Splunk bar in Splunk Cloud.
We will explore the Search app in detail. For now, let's return to Splunk Home.
2. Click the Splunk logo on the Splunk bar.
Regardless of where you are in an app, you can always click the Splunk logo to return to Splunk Home.
More about the Splunk bar
The Splunk bar has several menus. Let's explore a few of them.
Account menu
Use the Account menu to edit your account settings, for example to change your password.
Splunk Enterprise
The Account menu displays Administrator for now, but this menu is your Account menu. It shows
Administrator initially, because that is the default user name for a new installation.
1. Select Administrator > Account Settings.
11
2. In the Full name field, type your first name and surname.
For this tutorial, we will not change the other settings.
3. Click Save.
4. Click the Splunk logo to return to Splunk Home.
Splunk Cloud
The Account menu displays your name.
1. Select Your_Name > User Settings.
2. The Full name field should list your first name and surname. You can change the order of the names, or type a
nickname.
For this tutorial, we will not change the other settings.
3. Click Save.
Messages menu
All system-level error messages are listed on the Messages menu. When you have a new message to review, a
notification appears as a count next to the Messages menu. The notification is a number, that represents the number of
messages that you have.
Assistance
The menu that you use to get help with the Splunk software depends on the Splunk platform that you are using.
Splunk Enterprise
The Help menu contains a set of links to the product release notes, tutorials, Splunk Answers, and the Splunk
Support and Services page. You can also search the online documentation.
Splunk Cloud
The Support & Services menu contains a set of links to Splunk Answers, the Documentation home page, and
the Splunk Support and Services page. You can also search the online documentation.
Other menus on the Splunk bar
You will explore the other menus on the Splunk bar later in the tutorial.
12
Next step
This completes Part 1 of the Search Tutorial.
You are now familiar with Splunk Web. Continue to Part 2: Uploading the tutorial data.
13
Part 2: Uploading the tutorial data
About uploading data

When you add data to your Splunk deployment, the data is processed and transformed into a series of individual events
that you can view, search, and analyze.
What kind of data?
The Splunk platform accepts any type of data. In particular, it works with all IT streaming and historical data. The source
of the data can be event logs, web logs, live application logs, network feeds, system metrics, change monitoring, message
queues, archive files, and so on.
In general, data sources are grouped into the following categories.
Data source Description

Files and
Most data that you might be interested in comes directly from files and directories.
directories
Network events The Splunk software can index remote data from any network port and SNMP events from remote devices.
Windows The Windows version of Splunk software accepts a wide range of Windows-specific inputs, including Windows Event Log,
sources Windows Registry, WMI, Active Directory, and Performance monitoring.
Other input sources are supported, such as FIFO queues and scripted inputs for getting data from APIs, and other remote
Other sources
data interfaces.
For many types of data, you can add the data directly to your Splunk deployment. If the data that you want to use is not
automatically recognized by the Splunk software, you need to provide information about the data before you can add it.
Let's look at some of the data sources that are automatically recognized.
Splunk Cloud
1. If the Welcome to the Splunk Free Cloud Trial! window is displayed, close the window.
2. Click Settings > Add Data.
14
3. At the bottom of the screen is a list of common data sources.
You will come back to this window in a moment.

Splunk Enterprise
1. Click Add Data in the Explore Splunk Enterprise panel.
2. Scroll down and look at the list of common data sources.

You will come back to this window in a moment.
Where is the data stored?
The process of transforming the data is called indexing. During indexing, the incoming data is processed to enable fast
searching and analysis. The processed results are stored in the index as events.
The index is a flat file repository for the data. For this tutorial, the index resides on the computer where you access your
Splunk deployment.
Events are stored in the index as a group of files that fall into two categories:
• Raw data, which is the data that you add to the Splunk deployment. The raw data is stored in a compressed
format.
• Index files, which include some metadata files that point to the raw data.
15
These files reside in sets of directories, called buckets, that are organized by age.
By default, all of your data is put into a single, preconfigured index. There are several other indexes used for internal
purposes.
Next step
Now that you are more familiar with data sources and indexes, let's learn about the tutorial data that you will work with.
See also
Where is my data? in Getting Data In

Use apps to get data into the index in Getting Data In
About managing indexes in Managing Indexers and Clusters of Indexers
What is in the tutorial data?

The tutorial data file is updated daily and contains events that are timestamped for the previous seven days. The tutorial
data contains several types of information about the fictitious online store Buttercup Games. Buttercup, for those of you
that don't know, is a pony and is the Splunk mascot.
The information includes access.log files, secure.log files, and vendor_sales.log files from mail servers and web accounts.
access.log file data
The raw data in the access.log file is difficult to read and analyze when you have hundreds, if not thousands, of lines of
data. Each day, every day. That is where the Splunk platform comes in.
175.44.24.82 - - [22/Sep/2016:18:44:40] "POST

/product.screen?productId=WC-SH-A01&JSESSIONID=SD7SL9FF5ADFF5066 HTTP 1.1" 200 3067
"http://www.buttercupgames.com/product.screen?productId=WC-SH-A01" "Mozilla/5.0 (compatible; MSIE 9.0;
Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)" 307
142.233.200.21 - - [22/Sep/2016:19:20:13] "GET show.do?productId=SF-BVS-01&JSESSIONID=SD6SL8FF4ADFF5218
HTTP 1.1" 404 1329 "http://www.buttercupgames.com/cart.do?action=purchase&itemId=EST-13" "Mozilla/5.0
(compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 674
secure.log file data
The raw data in the secure.log file looks like this:
Thu Sep 22 2016 00:15:06 mailsv1 sshd[60445]: pam_unix(sshd:session): session opened for user djohnson by
(uid=0)
Thu Sep 22 2016 00:15:06 mailsv1 sshd[3759]: Failed password for nagios from 194.8.74.23 port 3769 ssh2
Thu Sep 22 2016 00:15:08 mailsv1 sshd[5276]: Failed password for invalid user appserver from 194.8.74.23
port 3351
vendor_sales.log file data
The raw data in the vendor_sales.log file looks like this:
16
[22/Sep/2016:18:23:07] VendorID=5037 Code=C AcctID=5317605039838520
[22/Sep/2016:18:23:22] VendorID=9108 Code=A AcctID=2194850084423218
[22/Sep/2016:18:23:49] VendorID=1285 Code=F AcctID=8560077531775179
[22/Sep/2016:18:23:59] VendorID=1153 Code=D AcctID=4433276107716482
Next step
Let's upload the tutorial data to your Splunk deployment.
Upload the tutorial data

This tutorial uses a set of data that is designed to show you the features in the product. Using the tutorial data ensures
that your search results are consistent with the steps in the tutorial.
Prerequisite
You must have the tutorial data files on your computer.
Use the Add Data wizard
1. If you are not on the Splunk Home page, click the Splunk logo on the Splunk bar to go to Splunk Home.
2. Locate the Add Data icon.
Splunk Cloud
a. If the Welcome to the Splunk Free Cloud Trial! window is displayed, close the window.
b. Click Settings > Add Data.
Splunk Enterprise
a. In the Explore Splunk Enterprise panel, click Add Data.
3. Click Upload. There are other options for adding data, but for this tutorial you will upload the data files.
4. Under Select Source, click Select File to browse for the tutorialdata.zip file.
17
5. Select the file and click Open.
Note: Because you specified a compressed file, a data source that the Splunk software recognizes, the
wizards steps change. The step Set Source Type is skipped. When you load data that is not in a
compressed file, you will set the data source type.
6. Click Next to continue to Input Settings.
Under Input Settings, you can override the default settings for Host, Source type, and Index.
7. Modify the Host settings to assign the host names using a portion of the path name. The settings that you select
depend whether you are installing on Splunk Cloud or Splunk Enterprise and on the operating system you are
using.
Splunk Cloud
a. Select Segment in path.
b. Type 1 for the segment number.
Splunk Enterprise
For Linux or Mac OS X:
a. Select Segment in path.
b. Type 1 for the segment number.
18
Windows
a. Select Regular expression on path.
b. Type \\(.*)\/ for the regex to extract the host from the path.
8. Click Review. The following screen appears where you can review your input settings.
9. Click Submit to add the data.
19
10. To see the data in the Search app, click Start Searching.
You might see a screen asking if you want to take a tour. You can take the tour or click Skip.
The Search app opens and a search is automatically run on the tutorial data source.
Success! The results confirm that the data in the tutorialdata.zip file was indexed and that events were
created.
Next step
You have completed Part 2 of the Search Tutorial.
Now you know how to add data to your Splunk platform. Next, you will begin to learn how to search that data. Continue to
Part 3: Using the Splunk Search App.
20
Part 3: Using the Splunk Search App
Exploring the Search views

In Part 2, you learned about the types of data that the Splunk platform works with and uploaded the tutorial data into the
index. In Part 3, you will learn about the Search app.
Find Splunk Search
1. If you are not on the Splunk Home page, click the Splunk logo on the Splunk bar to go to Splunk Home.
2. From Splunk Home, click Search & Reporting in the Apps panel.
This opens the Search Summary view in the Search app.
Search Summary view
The Search Summary view includes common elements that you see on other views, including the Applications menu, the
Splunk bar, the Apps bar, the Search bar, and the Time Range Picker. Elements that are unique to the Search Summary
view are the panels below the Search bar: the How to Search panel, the What to Search panel, and the Search History
panel.
21
Number Element Description
Applications Switch between Splunk applications that you have installed. The current application, Search & Reporting
1 app, is listed. This menu is on the Splunk bar.
menu
2 Splunk bar Edit your Splunk configuration, view system-level messages, and get help on using the product.
Apps bar Navigate between the different views in the application you are in. For the Search & Reporting app the views
3 are: Search, Pivot, Reports, Alerts, and Dashboards.
4 Search bar Specify your search criteria.
Time range
5 Specify the time period for the search, such as the last 30 minutes or yesterday. The default is All time.
picker
6 How to search Contains links to the Search Tutorial and Search Manual.
What to search Shows a summary of the data that is uploaded on to this Splunk instance and that you are
7
authorized to view.
Search history View a list of the searches that you have run. The search history appears after you run
8
your first search.
Explore the Data Summary information
Use the Data Summary to view information about your data.
1. In the What to Search panel, click Data Summary.
The tabs Hosts, Sources, and Sourcetypes, represent searchable fields in your data.
The host of an event is the host name, IP address, or fully qualified domain name of the network machine
from which the event originated. In a distributed environment, you can use the host field to search data
from specific machines.
The Host tab lists five hosts. These hosts were identified from the tutorialdata.zip file that you added
to your Splunk deployment.
22
2. Click the Sources tab to see the eight sources listed, all of which are log files.
The source of an event is the file or directory path, network port, or script from which the event
originated.
3. Click the Sourcetypes tab. The three source types that are in the tutorial data file include the following:
♦ access_combined_wcookie. Apache web server log files.
♦ secure. Secure server log files.
♦ vendor_sales. Global sales vendor information.
The source type of an event tells you what kind of data it is, usually based on how it is formatted. This
classification lets you search for the same type of data across multiple sources and hosts.
Let's explore some of the data.

4. Click the Sources tab.
5. Click tutorialdata.zip:./www1/access.log.
A new search runs. The events that match the search appear in the lower portion of the screen.
New Search view
The New Search view opens after you run a search.
Some of the elements in this view might be familiar, such as the Apps bar, the Search bar, and the time range picker.
Below the Search bar, are the Timeline, the Fields sidebar, and the Events view.
23
Number Element Description
1 Apps bar Navigate between the different views in the Search & Reporting app.
2 Search bar Specify your search criteria.
Time range
3 Specify the time period for the search.
picker
Timeline A visual representation of the number of events that occur at each point in time. Peaks or
4 valleys in the timeline can indicate spikes in activity or server downtime. The timeline options
are located above the timeline. You can zoom in, zoom out, and change the scale of the chart.
Fields Displays a list of the fields discovered in the events. The fields are grouped into Selected
5
sidebar Fields and Interesting Fields.
Events Displays the events that match your search. By default, the most recent event is listed first. In
6 viewer each event, the matching search terms are highlighted. To change the event view, use the List,
Format, and Per Page options.
Explore the data source types
1. To return to the Search Summary view, click Search in the Apps bar.
2. Try a different search. Click Data Summary and click the Sourcetypes tab.
3. Click vendor_sales.
The New Search view opens and the Search bar shows the following search criteria.
sourcetype=vendor_sales
Selecting a host, source, or source type from the Data Summary dialog box is a great way to see how your data is turned
into events. However, the real power of the Splunk software is in searching all of your data, not segmented parts of it.
Next step
Learn about specifying time ranges in your searches.
24
See also
View and interact with your Search History in the Search Manual
Why source types matter in Getting Data In
Specifying time ranges

Restricting, or filtering, your search criteria using a time range is the easiest and most effective way to optimize your
searches.
You can use time ranges to troubleshoot an issue, if you know the approximate timeframe when the issue occurred.
Narrow the time range of the search to that timeframe. For example, to investigate an incident that occurred yesterday,
select Yesterday or Last 24 hours. To investigate an incident that occurred 10 minutes ago, select Last 15 minutes or
Last 60 minutes. Then, adjust the time range as needed in your investigation.
Let's explore the data from the Buttercup Games online store using the different time ranges.
1. To start a new search, click Search in the Apps bar.

2. To search for a keyword in your events, type buttercupgames in the Search bar and press Enter.
buttercupgames
The keyword is highlighted in the events that are returned.
25
Notice that thousands of events are returned. You use the time range picker, which is to the right of the Search bar, to set
time boundaries on your searches.
The default time range is All time. You can restrict the search to one of the preset time ranges, or use a custom time
range.
Preset time ranges
The time range picker has many preset time ranges that you can select from.
1. Click All-time in the time range picker to see a list of the time range options.
The Presets option contains Real-time, Relative, and Other time ranges.
♦ Real-time searches display a live, streaming view of events. You can specify a window over which to
retrieve events.
♦ Historical searches display events from the past. You can restrict your search by specifying a relative
time range or a specific date and time range.
Because the data for the Buttercup Games online store is a snapshot of historical data, you will use the
Relative and Custom time ranges in this tutorial.
2. In the Presets option in the Relative list, click Yesterday.
The number of events returned should be smaller. You changed the time range from All-time to
Yesterday.
Note: If no events are returned, it is probably because you downloaded the tutorialdata.zip file more than one
day ago. When you download the ZIP file, timestamps are generated and added to the data. The earliest
timestamp on the data is the date you downloaded the file. Therefore there are no events that have a timestamp
for yesterday. Try a different Relative time range, such as Previous week or Last 7 days.
Custom time ranges
Use a custom time range when one of the preset time ranges is not precise enough for your search.
Specify relative time ranges
You can use the Relative option to specify a custom time range.
26
1. Open the time range picker.
2. To run a search over the last two hours, select the Relative time range option.
3. For Earliest, type 2 in the field, and select Hours Ago from the drop-down list.
4. For Latest, the default is now. Select Beginning of the current hour.
5. Click Apply.
The timestamps adjust to show you the earliest and latest timestamps that you specify.
As mentioned before, if no events are returned, select a different time range, such 4 Days Ago or 1 Week Ago.
Specify date and time ranges
You can also use the Date Range and Date & Time Range options to specify a custom time range.
• Use Between to specify that events must occur between an earliest and latest date.
• Use Before to specify that events must occur before a date.
• Use Since to specify that events must occur after a date.
You use the Date Range option to specify dates. The following screen image shows the calendar that you can use to
select a date.
27
You use the Date & Time Range option when you want to specify both a date and a time. The following screen image
shows the "Between", "Before", or "Since" options.
For example, to troubleshoot an issue that took place September 20th 2016 at 8:42 PM, specify the earliest time of
09/20/2016 20:40:00.000 and the latest time of 09/20/2016 20:45:00.000 to show the events immediately before and after
the issue took place.
Next step
You have explored the Search app views and learned how important it is to specify time ranges with your searches.
Continue to Part 4: Searching the tutorial data.
See also
Change the default time range in the Search Manual
28
Part 4: Searching the tutorial data
Basic searches and search results

In this section, you create searches that retrieve events from the index.
The data for this tutorial is for the Buttercup Games online store. The store sells games and other related items, such as
t-shirts. In this tutorial, you will primarily search the Apache web access logs, and correlate the access logs with the
vendor sales logs.
Prerequisite
Complete the steps, Upload the tutorial data, in Part 2.
Using the Search Assistant
The Search Assistant is a feature in the Search app that appears as you type your search criteria. The Search Assistant is
like autocomplete, but so much more.
1. Click Search in the App bar to start a new search.

2. Type buttercup in the Search bar.
When you type a few letters into the Search bar, the Search Assistant shows you terms in your data that
match the letters that you type in. You should see that buttercupgames is a Matching Term.
4. Type category in the Search bar. The terms that you see, such as categoryid="accessories" are in the tutorial
data.
5. Use the down-arrow key and select "categoryid=sports" from the Search Assistant list.
6. Press Enter, or click the Search icon on the right side of the search bar, to run the search.
29
Matching Searches
The Search Assistant also returns matching searches, which are based on the searches that you have recently run. The
Matching Searches list is useful when you want to run the same search from yesterday, or a week ago. Your search
history is retained when you log out.
The Search Assistant is more useful after you start learning the search language. When you type search commands, the
Search Assistant displays command information.
Retrieve events from the index
Let's try to find out how many errors have occurred on the Buttercup Games website.
To retrieve events that mention errors or failures, you type the keywords in your search criteria. If you use multiple
keywords, you must specify Boolean operators such as AND, OR, and NOT.
The AND operator is implied when you type in multiple keywords. For example, typing buttercupgames error is the same
as typing buttercupgames AND error.
1. Start a new search.

2. To search for the terms error, fail, failure, failed, or severe, in the events that also mention buttercupgames, run
the following search.
buttercupgames (error OR fail* OR severe)
Tip: Instead of typing the search string, you can copy and paste the search from this
tutorial directly into the Search bar.
3. Click the Search icon to the right of the time range picker to run the search.
Notice that you must capitalize Boolean operators. The asterisk ( * ) character is used as a wildcard character to match
fail, failure, failed, failing, and so forth.
When evaluating Boolean expressions, precedence is given to terms inside parentheses. NOT clauses are evaluated
before OR clauses. AND clauses have the lowest precedence.
30
This search retrieves 427 matching events.
Understanding search results
Below the Search bar are four tabs: Events, Patterns, Statistics, and Visualizations.
The tab that shows the search results depends on the type of search commands you used. In the early parts of this
tutorial, you will work with the Events tab. Later in this tutorial, you will learn about the other tabs.
The Events tab displays the Timeline of events, the Fields sidebar, and the Events viewer.
31
By default, the events appear as a list that is ordered starting with the most recent event. In each event, the matching
search terms are highlighted. The List display option shows the event information in three columns.
Column Description
Use the event information column to expand or collapse the display of the event information. By default the display is collapsed.
i Click the greater than ( > ) symbol to expand the display.
The timestamp for the event. When events are indexed, the timestamp in the event is extracted. If the event does not contain a
Time timestamp, the indexing process adds a timestamp that is the date and time the event was indexed.
Event The raw event data. The Selected fields from the Fields sidebar appear at the bottom of each event.
Change the display of the Events viewer
1. Select the List option and click Table.

The display changes to show the event information column, the timestamp column, and columns for each
of the Selected fields. You will learn more about the Selected fields later in the tutorial.
2. Change the display back to List.
Timeline of events
The Timeline of events is a visual representation of the number of events that occur at each point in time. As the timeline
updates with your search results, there are clusters or patterns of bars. The height of each bar indicates the count of
events. Peaks or valleys in the timeline can indicate spikes in activity or server downtime. The timeline highlights patterns
of events, or peaks and lows in event activity. The timeline options are located above the timeline. You can zoom in, zoom
out, and change the scale of the chart.
Fields sidebar
When you add data to the Splunk platform the data is indexed. As part of the index process, information is extracted from
your data and formatted as name and value pairs, called fields. When you run a search, the fields are identified and listed
in the Fields sidebar next to your search results. The fields are divided into two categories.
• Selected fields are visible in your search results. By default, host, source, and sourcetype appear. You can
select other fields to show in your events.
• Interesting fields are other fields that have been extracted from the events in your search results.
You can hide the fields sidebar to maximize the results area.
Patterns, Statistics, and Visualizations
The Patterns tab displays a list of the most common patterns among the set of events returned by your search. Each of
these patterns represents events that share a similar structure.
The Statistics tab populates when you run a search with transforming commands such as stats, top, chart, and so on.
The keyword search for "buttercupgames" does not show results in this tab because the search does not include any
transforming commands.
Searches with transforming commands also populate the Visualization tab. The results area of the Visualizations tab
includes a chart and the statistics table that is used to generate the chart.
You will learn about transforming commands, and use the Statistics and Visualizations tabs, later in the tutorial.
32
Next step
Learn to use fields to search your data.
See also
Help building searches using the Search Assistant in the Search Manual
Identify event patterns with the Patterns tab in the Search Manual
Introduction to Pivot in the Pivot Manual
Use fields to search

To take advantage of the advanced search features in the Splunk software, you must understand what fields are and how
to use them.
What are fields?
Fields exist in machine data in many forms. Often, a field is a value with a fixed, delimited position on a line, or a name
and value pair, where there is a single value to each field name. A field can be multivalued, that is, it can appear more
than once in an event and have a different value for each appearance.
• Some examples of fields are clientip for IP addresses accessing your Web server, _time for the timestamp of an
event, and host for domain name of a server.
• One of the more common examples of multivalue fields is email address fields. While the From field will contain
only a single email address, the To and Cc fields have one or more email addresses associated with them.
Fields are searchable name and value pairings that distinguish one event from another. Not all events have the same
fields and field values. Use fields to write more tailored searches to retrieve the specific events that you want.
Extracted fields
The Splunk software extracts fields from event data at index time and at search time.
Index time
The time span from when the Splunk software receives new data to when the data is written to an index. During
index time, the data is parsed into segments and events. Default fields and timestamps are extracted, and
transforms are applied.
Search time
The period of time beginning when a search is launched and ending when the search finishes. During search
time, certain types of event processing take place, such as search time field extraction, field aliasing, source type
renaming, event type matching, and so on.
The default fields and other indexed fields are extracted for each event when your data is indexed.
33
Search with fields
When you search for fields, you use the syntax fieldname=fieldvalue.
• Field names are case sensitive, but field values are not.
• You can use wildcards in field values.
• Quotation marks are required when the field values include spaces.

2. To search the sourcetype field for any values that begin with access_, run the following field-value search.
sourcetype=access_*
This search indicates that you want to retrieve only events from your web access logs and nothing else.
This search uses a wildcard character, access_*, in the field value to match any Apache web access
sourcetype. The source types can be access_common, access_combined, or
access_combined_wcookie.
3. Scroll through the list of events in your search results.
If you are familiar with the access_combined format of Apache logs, you might recognize some of the
information in each event, such as:
• IP addresses for the users accessing the website.

• URIs and URLs for the pages requested and referring pages.
• HTTP status codes for each page request.
• GET or POST page request methods.
34
These are events for the Buttercup Games online store, so you might recognize other information and keywords
in the search results, such as Arcade, Simulation, productId, categoryId, purchase, addtocart, and so on.
To the left of the events list is the Fields sidebar. As events are retrieved that match your search, the Fields
sidebar updates with Selected fields and Interesting fields. These are the fields that the Splunk software
extracts from your data.
35
When you first run a search the Selected Fields list contains the default fields host, source, and sourcetype. The
default fields appear in every event.
Interesting Fields are fields that appear in at least 20% of the events.
Specify additional selected fields
You can designate other fields to appear in the Selected Fields list. When you add a field to the Selected Fields list, the
field name and field value are included in the search results.
1. To add fields to the Selected Fields list, click All Fields.
The Select Fields dialog box shows a list of fields in your events. The # of Values column shows the
number of unique values for each field in the events. Because your search criteria specifies the source
type, the sourcetype field has just 1 value.
The list contains additional default fields, fields that are unique to the source type, and fields that are
related to the Buttercup Games online store.
• In addition to the three default fields that appear automatically in the list of Selected Fields, there are other default
fields that are created when your data is indexed. For example, fields that are based on the event timestamp
begin with date_*). The field that identifies data that contains punctuation is the punct field. The field that specifies
the location of the data in your Splunk deployment is the index field.
• Other field names apply to the web access logs that you are searching. For example, the clientip, method, and
status fields. These are not default fields. They are extracted at search time.
• Other extracted fields are related to the Buttercup Games online store. For example, action, categoryId, and
productId.
• Select the action, categoryId, and productId fields.

• Close the Select Fields dialog box.
The three fields that you selected appear under Selected Fields in the Fields sidebar. The selected fields also
36
appear in the events in your search results, if those fields exist in that particular event. Every event might not have
the same fields.
Identifying field values
The Fields sidebar displays the number of unique values for each field in the events. These are the same numbers that
appear in the Select Fields dialog box.
1. Under Selected Fields, notice the number 5 next to the action field.
2. Click the action field.
The field summary for the action field opens.
37
In this set of search results there are five values for action. The action field appears in 49.9% of your
search results.
3. Close the action field summary window.
4. Review the other two fields you added to the Selected fields. The categoryId field identifies the types of games or
other products that are sold by the Buttercup Games online store. The productId field contains the catalog
numbers for each product.
5. Scroll through the events list.
6. The i column contains event information. In the i column, click the arrow ( > ) next to an event to expand the event
information.
You can use this expanded panel to view all the fields in a particular event, and select or deselect
individual fields for an individual event.
Run targeted searches
The following examples are searches that use fields.
Search for successful purchases
Search for successful purchases from the Buttercup Games store.

2. Run the following search.
sourcetype=access_* status=200 action=purchase

This search uses the HTTP status field, status, to specify
successful requests and the action field to
search only for purchase events.
You can search for failed purchases in a similar manner using status!=200, which looks for all events
where the HTTP status code is not equal to 200.
3. Change the status portion of the search and run the search again.
sourcetype=access_* status!=200 action=purchase
38
Search for errors
The way that errors are designed in events varies from source to source. To search for errors, your search must specify
these different designations.
Use Boolean operators to specify different error criteria. Use parenthesis to group parts of your search string.

(error OR fail* OR severe) OR (status=404 OR status=500 OR status=503)
This search does not specify a source type. The search retrieves events from both the secure log files
and the web access log files.
Search for sales of a specific product
Search for how many simulation style games were bought yesterday.
1. In the time range picker, select Yesterday from the Presets list.
If you downloaded the tutorialdata.zip file more than one day ago, there are no events that have a
timestamp for yesterday. Instead, change the time range picker to All time and run the previous search.
In the search results, look at the dates. Use the Date Range option in the time range picker to specify
one of the dates in your results.
sourcetype=access_* status=200 action=purchase categoryId=simulation

As you type the search, the Search Assistant shows you a list of your previous searches that start with
"sourcetype". You can select the search that you ran earlier to search for successful purchases. Then add
categoryId=simulation to the end of that search.
The count of events returned are the number of simulation games purchased.
3. Find the number of purchases for each type of product sold at the shop.
1. Locate the unique categoryId values by clicking on the categoryId field in the Selected Fields list.
2. Run the search in step 2 for each unique categoryId value.
• For the number of purchases made each day of the previous week, run the search again for each time range.
Next step
You can use your knowledge about fields to take advantage of the Splunk search processing language to generate
statistics and build charts.
Let's learn how to use the search language.
See also
In the Knowledge Manager Manual
About fields
Use default fields
When Splunk Enterprise extracts fields
39
Use the search language
The searches that you have run to this point have retrieved events from your Splunk index. You were limited to asking
questions that could only be answered by the number of events returned.
For example, you ran the following search to determine how many simulation games were purchased:
sourcetype=access_* status=200 action=purchase categoryId=simulation
To find this number for the days of the previous week, you need to run it against the data for each day of that week. To
see which products are more popular than the other, run the search for each of the eight categoryId values and compare
the results.
Splunk developed the Search Processing Language (SPL) to use with Splunk software. SPL encompasses all the search
commands and their functions, arguments, and clauses. One way to learn the SPL language is by using the Search
Assistant.
Learn with the Search Assistant
There are two modes for the Search Assistant: Compact and Full. The default mode is Compact, which you were
introduced to in the Basic searches and search results topic in this tutorial.
This section shows you how to change the Search Assistant mode. You will use the Search Assistant to learn about the
SPL and to construct searches.
1. Select the Account menu.
Splunk platform Step Example
Splunk Enterprise Select Administrator > Account Settings.
Splunk Cloud Select Your_Name > User Settings.
2. Scroll down to the Search section and change the Search assistant to Full.
The Full mode provides more information as you type commands in the Search bar.
3. Click Save.
Let's explore the benefits of the Full mode and creating searches using the SPL commands.
1. Click App > Search & Reporting to return to the Search app.
2. Type s in the Search bar.
40
The Search Assistant shows a list of Matching Searches and Matching Terms. It also explains briefly
How To Search.
3. Select the following search from the Matching Searches list, or type the search into the Search bar.
sourcetype=access_* status=200 action=purchase

4. After action=purchase, type a pipe character ( | ) into the Search bar.
The pipe character indicates that you are about to use a command. The results of the search to the left of
the pipe are used as the input to the command to the right of the pipe. You can pass the results of one
command into another command in a series, or pipeline, of search commands.
Notice that the Search Assistant changes to show a list of Common Next Commands.
You want the search to return the most popular items bought at the Buttercup Games online store.
5. Under Common Next Commands, select top.
The top command is appended to your search string.
41
6. Type categoryId into the Search bar.
The following search is the complete search string.

sourcetype=access_* status=200 action=purchase | top categoryId
The search criteria before the pipe character, sourcetype=access_* status=200 action=purchase,
locates events from the access control log files, that were successful (HTTP status is 200), and that were
a purchase of a product.
The search criteria after the pipe character, top categoryId, takes the events located and returns the
categoryId field for the most common values.
7. Run the search.
The results of the top command appear in the Statistics tab.
View results in the Statistics tab
The top command is a transforming command. Transforming commands organize the search results into a table. Use
transforming commands to generate results that you can use to create visualizations such as column, bar, line, area, and
pie charts. We will talk more about visualizations later in this tutorial.
Because transforming commands return your search results in a table format, the results appear on the Statistics tab.
In this search for successful purchases, seven different category IDs were found. The list shows the category ID values
from highest to lowest, based on the frequency of the category ID values in the events.
Many of the transforming commands return additional fields that contain useful statistical information. The top command
returns two new fields, count and percent.
• The count field specifies the number of times each value of the categoryId field occurs in the search results.
• The percent field specifies how large the count is compared to the total count.
View and format results in the Visualization tab
You can also view the results of transforming searches in the Visualizations tab, where you can format the chart type.
1. Click the Visualization tab.
By default, the Visualization tab opens with a Column chart.

2. Click Column Chart to open the visualization type selector.
42
Column, Bar, and Pie charts are listed as the Recommended chart type for this data set.
3. Select the Pie chart.
Now, your visualization looks like the following pie chart.
43
4. Next to the visualization drop-down list, click Format.
5. On the General tab next to Drilldown, click Yes.
6. Then close the dialog box.
The Drilldown setting lets you delve into the details of the information in the tables and charts on the
Visualizations tab.
7. Hover over each slice of the pie to see the count and percentage values for each categoryId.
8. Click on a slice, such as STRATEGY.
Because Drilldown is enabled, the criteria categoryId=STRATEGY is added to your search string, replacing
the top command. The search runs again.
44
Next step
Learn about correlating events with subsearches.
See also
The top command in the Search Reference

Drilldown behavior in the Dashboards and Visualizations
Use a subsearch
In this section you will learn how to correlate events by using subsearches.
A subsearch is a search that is used to narrow down the set of events that you search on. The result of the subsearch is
then used as an argument to the primary, or outer, search. Subsearches are enclosed in square brackets within a main
search and are evaluated first.
Let's find the single most frequent shopper on the Buttercup Games online store, and what that shopper has purchased.
The following examples show why a subsearch is useful. Example 1 shows how to find the most frequent shopper without
a subsearch. Example 2 shows how to find the most frequent shopper with a subsearch.
Example 1: Search without a subsearch
You want to find the single most frequent shopper on the Buttercup Games online store and what that shopper has
purchased. Use the top command to return the most frequent shopper.

2. Change the time range to All time.
3. To find the shopper who accessed the online shop the most, use this search.
sourcetype=access_* status=200 action=purchase | top limit=1 clientip
The limit=1 argument specifies to return 1 value. The clientip argument specifies the field to return.
This search returns one clientip value, 87.194.216.51, which you will use to identify the VIP shopper.
You now need to run another search to determine how many different products the VIP shopper has
purchased.
4. Use the stats command to count the purchases by this VIP customer.
sourcetype=access_* status=200 action=purchase clientip=87.194.216.51 | stats count,
dc(productId), values(productId) by clientip
45
This search uses the count() function to return the total count of the purchases for the shopper. The dc()
function is the distinct_count function. Use this function to count the number of different, or unique,
products that the shopper bought. The values argument is used to display the actual product IDs in the
results.
The drawback to this approach is that you have to run two searches each time you want to build this table. The top
purchaser is not likely to be the same person at any given time range.
Example 2: Search with a subsearch
Let's start with our first requirement, to identify the single most frequent shopper on the Buttercup Games online store.
1. Copy and paste the following search into the Search bar and run the search.
sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip
This search returns the clientip for the most frequent shopper, clientip=87.194.216.51. This search is
almost identical to the search in Example 1 Step 1. The difference is the last piped command, | table
clientip, which displays the clientip information in a table.
To find what this shopper has purchased, you run a search using the same data. You provide the result of
the search for the most frequents shopper as one of the criteria for the purchases search.
The search to identify the most frequent shopper becomes the subsearch for the search to determine
what the shopper has purchased. Because you are searching the same data, the beginning of the main
search is identical to the beginning of the subsearch.
A subsearch is enclosed in square brackets [ ] and processed first when the search is parsed.
2. Copy and paste the following search into the Search bar and run the search.
sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200
action=purchase | top limit=1 clientip | table clientip] | stats count, dc(productId),
values(productId) by clientip
Because the top command returns the count and percent fields, the table command is used to keep
only the clientip value.
46
These results should match the result of the two searches in Example 1, if you run it on the same time
range. If you change the time range, you might see different results because the top purchasing customer
will be different.
Note: The performance of this subsearch depends on how many distinct IP addresses match status=200
action=purchase. If there are thousands of distinct IP addresses, the top command has to keep track of
all of those addresses before the top 1 is returned, impacting performance. By default, subsearches
return a maximum of 10,000 results and have a maximum runtime of 60 seconds. In large production
environments, it is possible that the subsearch in this example will timeout before it completes. The best
option is to rewrite the query to limit the number of events that the subsearch must process. Alternatively,
you can increase the maximum results and maximum runtime parameters.
You can make the information more understandable by renaming the columns.
Column Rename
count Total Purchased
dc(productId) Total Products
values(productId) Products ID
clientip VIP Customer

You rename columns by using the AS operator on the fields in your search. If the rename that you want to use
contains a space, you must enclose the rename in quotation marks.
3. To rename the fields, copy and paste the following search into the Search bar and run the search.
action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased",
dc(productId) AS "Total Products", values(productId) AS "Products ID" by clientip | rename
clientip AS "VIP Customer"
47
4. Experiment with this search.
What happens when you run the search over different time periods? What if you wanted to find the top
product sold and how many people bought it?
Next step
You have learned how to use fields, the Splunk search language, and subsearches to search your data. Continue to Part
5: Enriching events with lookups.
See also
About subsearches in the Search Manual

The top command in the Search Reference
The stats command in the Search Reference
48
Part 5: Enriching events with lookups
Enabling field lookups

The events used in this tutorial data contain fields with the product codes and product IDs. Those codes and IDs do not
tell you much about the products themselves, such as the product names. Being able to display the actual product names
in reports and dashboards is useful to anyone who read those reports or dashboards. That is where lookup files come in.
Lookup files contain data that does not change very often. This can include information about customers, products,
employees, equipment, and so forth. For this tutorial, you will use a CSV lookup file that contains product IDs, product
names, regular prices, sales prices, and product codes.
With a lookup file, you can match the codes or IDs in the Buttercup Games store events with the codes or IDs in a lookup
file. This matching is referred to as field lookups. After the field lookups are configured, you can add any of the fields from
the lookup file to your search. The lookup files are sometimes referred to as lookup tables or lookup table files.
There are five key steps to enabling fields lookups:
1. Upload the lookup file

2. Share the uploaded file with the applications
3. Create a lookup definition and specify permissions
4. Share the lookup definition
5. Optional. Make the lookup definition automatic
The remaining Parts in this tutorial dependent on you completing the steps in this section. If you do not configure the
field lookup, the searches will not produce the correct results.
Uncompress the lookup file
In Part 1 of this tutorial, you downloaded two data files. One of the files was Prices.csv.zip. You will use this file as the
lookup file for the remaining sections of the tutorial.
1. Uncompress the Prices.csv.zip file.
The prices.csv files contains the product names, price, and code. For example:
productId product_name price sale_price Code

DB-SG-G01 Mediocre Kingdoms 24.99 19.99 A
DC-SG-G02 Dream Crusher 39.99 24.99 B
FS-SG-G03 Final Sequel 24.99 16.99 C
WC-SH-G04 World of Cheese 24.99 19.99 D
Find the Lookups manager
1. In the Splunk bar, click Settings.
49
2. In the Knowledge section, click Lookups.
The Lookups manager opens, where you can create new lookups or edit existing lookups.
You can view and edit existing lookups by clicking on the links in the Lookups manager. In the next few sections of this
tutorial, you will upload lookup table files, create lookup definitions, and create automatic lookups.
Upload the lookup table file
To use a lookup table file, you must upload the file to your Splunk platform.
1. In the Lookups manager, locate Lookup table files.

2. In the Actions column click Add new.
You use the Add new lookup table files view to upload CSV files that you want to use.
50
3. The Destination app field specifies which app you want to upload the lookup table file to. To upload the file in the
Search app, you do not need to change anything. The default value is search.
4. Under Upload a lookup file, click Choose File and browse for the prices.csv file.
5. Under Destination filename, type prices.csv.
This is the name that you will use to refer to the file when you create a lookup definition.
6. Click Save.
This uploads your lookup file to the Search app and displays the lookup table files list.
If the Splunk software does not recognize or cannot upload the file, you can take the following actions.
• Check that the file is uncompressed.

• If an error message indicates that the file does not have line breaks, the file has become corrupted. This can
happen if the file is opened in Microsoft Excel before it is uploaded. You should delete the Prices.csv.zip and
prices.csv files. Then download the ZIP file again, and uncompress the file.
51
The other lookup table files in the list are included with the Splunk software.
Share the lookup table file
Now that the lookup table file is uploaded, you need tell the Splunk software which applications can use this file. You can
share the lookup table file with the Search app or with all of the apps.
1. In the Lookup table files list, locate the prices.csv file at the bottom of the Path list.
2. In the Sharing column, notice that prices.csv is listed as Private.
3. To share the lookup table file, click Permissions.
4. In the Permissions dialog box, under Object should appear in, select All apps.
5. Click Save.
The Sharing setting for the prices.csv lookup table is set to Global.
Add the field lookup definition
It is not sufficient to share the lookup table file with an application. You must create a lookup definition from the lookup
table file.
1. In the Lookup table file dialog box, select Lookups in the breadcrumbs to return to the Lookups manager.
52
2. For Lookup definitions, click Add New.
The Add new lookups definitions page opens, where you define the field lookup.
3. There is no need to change the Destination app setting. It is already set to search, referring to the Search app.
4. For Name, type prices_lookup.
5. For Type, select File-based.
A file-based lookup is typically a static table, such as a CSV file.
6. For Lookup file, select prices.csv, which is the name of the lookup table file that you created.
7. For Configure time-based lookup and Advanced options, leave the check boxes unselected.
8. Click Save.
The prices_lookup is now defined as a file-based lookup.
53
Share the lookup definition with all apps
Now that you have created the lookup definition, you need to specify in which apps you want to use the definition.
1. In the Lookup definitions list, for the prices_lookup, click Permissions.

2. In the Permissions dialog box, under Object should appear in, select All apps.
3. Click Save.
In the Lookup definitions page, prices_lookup now has Global permissions.
You can use this field lookup to add information from the lookup table file to your events. You use the field lookup by
specifying the lookup command in a search string. Or, you can set the field lookup to run automatically.
Make the lookup automatic
Instead of using the lookup command in your search when you want to apply a field lookup to your events, you can set
the lookup to run automatically.
1. In the Lookups manager, for Automatic lookups, click Add New.

This takes you to the Add new automatic lookups view, where you configure the lookup to run
automatically.
54
2. There is no need to change the Destination app setting. It is already set to search, referring to the Search app.
3. For Name, type autolookup_prices.
4. For Lookup table, select prices_lookup.
The other options are lookups that are based on the lookup table files that come with the product.
5. For Apply to, the value sourcetype is already selected. For named, type access_combined_wcookie.
6. For Lookup input fields, type productId in both text boxes.

The lookup input fields are where you associate values from the lookup table file with values in your
events.
♦ The first text box specifies the value in the lookup table file.
♦ The second text box specifies the value in your events.
The lookup table file has a productId column that contains values that match the values in the productId
field in the events.
55
7. For Lookup output fields, specify the names of the fields from the lookup table file that you want to add to your
event data. You can specify different names. The lookup table file has several fields. You will specify two of the
fields to appear in your events.
1. In the first text box, type product_name. This is the field in the prices.csv file that contains the descriptive
name for each productId.
2. In the second text box, after the equal sign, type productName. This is the name of the field that will
appear in your events for the descriptive name of the product.
3. Click Add another field to add another field after the first one.
4. Type price in the first text box. This is the field in the prices.csv file that contains the price for each
productId. Let's use the same name for the field that will appear in your events. Type price in the second
text box.
56
8. Keep Overwrite field values unchecked.
9. Click Save.
The Automatic lookup view appears and the lookup that you configured, autolookup_prices, is in the list.
The full name is access_combined_wcookie : LOOKUP-autolookup_prices.
57
Next step
You have setup the Search app to automatically retrieve information from your lookup table definition.
Now, you will search using those lookup definitions.
Search with field lookups

Show the lookup fields in your search results
Now that you have defined the prices_lookup, you can display the fields in your search results.
1. In the Apps menu, click Search & Reporting to return to the Search summary view.
2. Run the following search to locate all of the web access activity.
sourcetype=access_*
3. Scroll through the list of Interesting Fields in the fields sidebar, and find the price field.
4. Click price to open the summary dialog box for the field.
5. Next to Selected, click Yes.

6. Close the dialog box.
7. Scroll through the list of Interesting Fields in the fields sidebar, and find the productName field.
8. Click productName to open the summary dialog box for the field.
9. Next to Selected, click Yes.
10. Close the dialog box.
Both the price field and the productName field appear in the Selected Fields list and in the search results.
Notice that not every event shows the price and the productName fields.
58
Search with the new lookup fields
When you setup the automatic lookup, you specified that the productId field in your indexed events corresponds to the
productId field in the prices.csv file.
When you run a search, the Splunk software uses that relationship to retrieve, or lookup, data from the prices.csv file.
This enables you to specify the productName and price fields directly in your search. The product name and price
information does not exist in our indexed fields. This information exists in the lookup file, prices.csv.
Example: Display the product names and prices
1. To show a list of the Buttercup Games product names and the corresponding prices, run the following search.
sourcetype=access_* |stats values(price) AS Price BY productName |rename productName AS

"Product Name"
59
Example: Display the VIP client purchases
In the previous section about subsearches, you created a search that returned the product IDs of the products that a VIP
client purchased.

dc(productId) AS "Total Products", values(productId) AS "Products ID" BY clientip | rename clientip
AS "VIP Customer"
The events return the product IDs because that is the only data in your events about the product. However, now that you
have defined the automatic lookup, you can return the actual product names.
1. Using the same search, for the values parameter, replace the productId field with the productName field.

action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total
Purchased", dc(productId) AS "Total Products", values(productName) AS "Product Names"
BY clientip | rename clientip AS "VIP Customer"
The results are the same as in the previous search, showing the purchases by the VIP customer.
However, the results are more meaningful because the product names appear instead of the
more cryptic product IDs.
60
Next step
You have learned how to use field lookups in your searches. As you run more searches, you want to be able to save
those searches, or share the searches with other people. Continue to Part 6: Creating reports and charts.
61
Part 6: Creating reports and charts
Save and share your reports

In the last few Parts of this tutorial, you learned the basics of searching using the Splunk software, how to use a
subsearch, and how to add fields from lookup tables. Part 6 shows you how to save and share your searches and
explores more detailed search examples.
Save a search as a report
Reports are created whenever you save a search. After you create a report, you can do a lot with it.
1. Set the time range to Last 7 days and run the following search.
This is the same search that you ran in the section Search with field lookups.
dc(productId) AS "Total Products", values(productName) AS "Product Names" BY clientip |
rename clientip AS "VIP Customer"
Note: If your search does not return results, increase the time range of the search. For example, you can
run search over the time range Last 30 days or All Time.
2. Click Save as above the search bar and select Report.
3. In the Save As Report dialog box for Title type VIP Customer.
4. For Description, type Buttercup Games most frequent shopper.
62
5. For Time Range Picker, click Yes.
When you include a Time range picker in a report, it gives you the option of running the report with a
different time range.
6. Click Save.
A confirmation dialog box opens confirming that your report has been created. From this dialog box you
can perform the following actions.
♦ Continue Editing. To refine the search and report format.
♦ Add to Dashboard. To add the report to a new or existing dashboard.
♦ View. To view the report.
7. Click View.
The title and description that you specified appear at the top of the report. Time range picker is also
included at the top of the report.
View and edit reports
You can view and edit reports that you have saved. You edit a report directly from within the report.
1. In VIP Customer report, click Edit.
The options are to open the report in the Search view, or to edit the report description, permissions,
schedule, and acceleration. You can also clone, embed, and delete the report from this menu.
2. Click More Info to view information about the report.
63
From the More Info menu, you can view and edit different properties of the report, including its schedule,
acceleration, permissions, and embedding.
3. Look at the time range picker, located at the upper left corner of the window.
With the Time range picker, you can change the time period to run this search. For example, you can use
this time range picker to run this search for the VIP Customer Week to date, Last 60 minutes, or Last 24
hours just by selecting the Preset time range or defining a custom time range.
Find and share reports
You can access your reports using the App bar.
1. Click Reports to open the Reports page and view the list of reports.
64
When you save a report, Sharing is set to Private. Only you can view and edit the report. You can allow
other apps to view, edit, or both view and edit the report by changing the report permission.
2. For the VIP Customer report, under Actions click Edit.
3. Select Edit Permissions.
4. In the Edit Permissions dialog box, set Display For to App.

The display expands to show more settings.
5. For Everyone, mark the check box under Read.
This action gives everyone who has access to this app the permission to view the report.
6. Click Save.
The Reports page appears. The Sharing setting for the VIP Customer report now reads App instead of
Private.
65
Next step
Learn more about searches, charts, and reports.
See also
In the Reporting Manual
About reports
Accelerate reports
Search, chart, and report examples

Let's explore some other search examples, work with chart visualizations, and save the searches as reports.
Prerequisite
These examples require the productName field from the Enabling field lookups section. You must complete all of those
steps before continuing with this section.
Example: Compare counts of user actions
In this example you will calculate information about the actions customers have taken on the online store website.
• The number of times each product is viewed

• The number of times each product is added to the cart
• The number of times each product is purchased
Steps

sourcetype=access_* status=200 | chart count AS views count(eval(action="addtocart")) AS
addtocart count(eval(action="purchase")) AS purchases by productName | rename productName AS
"Product Name", views AS "Views", addtocart AS "Adds to Cart", purchases AS "Purchases"
This search uses the chart command to count the number of events that are action=purchase and
action=addtocart. The search then uses the rename command to rename the fields that appear in the
results.
The chart command is a transforming command. The results of the search appear on the Statistics tab.
66
3. Click the Visualization tab. The search results appear in a Pie chart.
4. Change the display to a Column chart.
67
Example: Overlay Actions and Conversion Rates on one chart
In this example, you will use the stats command to count the user actions. The eval command is used to calculate the
conversion rates for those actions. For example, how often someone who viewed a product added the product to their
cart.

sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS
addtocart count(eval(action="purchase")) AS purchases by productName | eval
viewsToPurchases=(purchases/views)*100 | eval cartToPurchases=(purchases/addtocart)*100 |
table productName views addtocart purchases viewsToPurchases cartToPurchases | rename
productName AS "Product Name", views AS "Views", addtocart as "Adds To Cart", purchases AS
"Purchases"
The eval command is used to define two new fields. These fields contain the conversion rates.
♦ The viewToPurchases field calculates the number of customers who viewed the product to the number
of customers who purchased the product. The calculation returns a percentage.
♦ The cartToPurchases field calculates the number of customers who added the product to their cart to
the number of customers who purchased the product. The calculation returns a percentage.
68
The next few steps reformat the chart visualization to overlay the two data series for the conversion rates,
onto the three data series for the actions.
This is the same chart as in Example 1, with two additional data series, viewsToPurchase and
cartToPurchase.
4. Click Format and X-Axis.

Because the labels on the X-Axis are difficult to read, let's fix that.
1. Rotate the label -45 degrees.

2. For Label Truncation, click No.
3. Close the Format dialog box.
Notice the change in the labels on the X-Axis. Look at the numbers on the Y-Axis. They range
from 1000 to 3000.
5. Click Format and Y-Axis.
To make the chart easier to read, add a label and specify different number intervals on the Y-Axis.
1. For Title, choose Custom and type Actions.
2. For Interval type 500.
3. For Max Value type 2500.
69
4. Close the Format dialog box. Notice the label and values on the Y-Axis.
6. Click Format and Chart Overlay.
To separate the actions (views, adds to cart, and purchases) from the conversion rates
(viewToPurchases and cartToPurchases), you can overly one set of values over another set. In this
example you will overlay the conversion rates over the actions.
1. For Overlay, click inside the box and select viewsToPurchase. Click inside the box again and select
cartToPurchase.
2. For View as Axis, click On.
3. For Title, choose Custom
4. Type Conversion Rates.

5. For Scale, click Linear.
6. For the Interval type 20. For the Max Value type 100.
70
The axis on the right side of the chart is called the second Y-Axis. The label and values for the
line series appear on this axis.
7. Click Save As and select Report.
1. In the Save Report As dialog box, for Title type Comparison of Actions and Conversion Rates by
Product.
2. For Description, type The number of times a product is viewed, added to cart, and purchased and
the rates of purchases from these actions.
8. Click Save
9. In the confirmation dialog box, click View.
Example: Products purchased over time
Create a report that charts the number of purchases that were completed for each item.

sourcetype=access_* | timechart count(eval(action="purchase")) by productName usenull=f
useother=f
This search uses the count() function to count the number of events that have the field action=purchase.
The search also uses the usenull and useother arguments to ensure that the timechart command only
counts events that have a value for productName.
The following table appears on the Statistics tab.
71
4. Change the chart type to a Line chart.
5. In the Format drop-down list, format the X-Axis, Y-Axis, and Legend to produce the following chart
This table lists the changes made to the chart.

Chart changes Setting or value
Chart type Line
X-Axis CustomTitle Date
X-Axis Labels -45 degree angle
Y-Axis Custom Title Purchases
Y-Axis Interval 10
Legend Position Top

72
1. In the Save Report As dialog box, for Title type Product Purchases over Time.
2. For Description, type The number of purchases for each product.
3. For Content, select Line Chart and Statistics Table.
4. For Time Range Picker, keep the default setting Yes.
7. Click Save.
8. In the confirmation dialog box, click View to see the report.
Example: Purchasing trends
This example uses sparkline charts to show trends in the number of purchases made over time.
Sparklines are inline charts that appear in the search results table and are designed to display time-based trends
associated with the primary key of each row. For searches that use the stats and chart commands, you can add
sparkline charts to the results tables.

sourcetype=access_* status=200 action=purchase| chart sparkline(count) AS "Purchases Trend"
count AS Total by categoryId | rename categoryId AS "Category"
This search uses the chart command to count the number of purchases by using action="purchase".
The search specifies the purchases made for each product by using categoryId. The difference is that
the count of purchases is now an argument of the sparkline() function.
73
4. In the Save Report As dialog box, for Title type Purchasing trends.
5. For Description, type Count of purchases with trending.
6. Click Save.
7. In the confirmation dialog box, click View.
74
Next step
Up to now, you have saved searches as Reports. Continue to Part 7: Creating dashboards, where you learn how to save
searches and reports as dashboard panels.
See also
chart command in the Search Reference

Transforming commands in the Search Manual
Add sparklines to your search results in the Search Manual
75
Part 7: Creating dashboards
About dashboards
Dashboards are views that are made up of panels. The panels can contain modules such as search boxes, fields, charts,
tables, and lists. Dashboard panels are usually connected to reports.
After you create a search visualization or save a report, you can add it to a new or existing dashboard. There is also a
Dashboard Editor that you can use to create and edit dashboards. The Dashboard Editor is useful when you have a set of
saved reports that you want to quickly add to a dashboard.
Here is an example of dashboard.
76
Change dashboard permissions
You can grant access to a dashboard from the Dashboard Editor. However, your user role and capabilities defined for that
role might limit the type of access you can define.
If your Splunk user role is admin (with the default set of capabilities), then you can create dashboards that are private,
visible in a specific app, or visible in all apps. You can also provide access to other Splunk user roles, such as user,
admin, and other roles with specific capabilities.
Change dashboard panel visualizations
After you create a panel with the Dashboard Editor, use the Visualization Editor to change the visualization type in the
panel, and to specify how the visualization displays and behaves.
Edit the XML configuration of a dashboard
You can edit the panels in a dashboard by editing the XML configuration for the dashboard. This provides access to
features not available from the Dashboard Editor. For example, you can edit the XML configuration to change the name of
dashboard, or you can specify a custom number of rows in a table.
Next step
Now let's create dashboards and dashboard panels that are based on searches and reports.
See also
In Dashboards and Visualizations:
Dashboards Quick Reference Guide

Visualization reference
Data structure requirements for visualizations
In the Admin Manual:
Manage knowledge object permissions
Create dashboards and panels

In this section, you will save a search as a dashboard panel and add an input element to the dashboard.
Save a search as a dashboard panel

sourcetype=access_* status=200 action=purchase | top categoryId
77
3. Click the Visualization tab. The displays shows a Line Chart.
4. Change the Line Chart to Pie Chart.
5. Click Save As and select Dashboard Panel.

6. Define a new dashboard and dashboard panel.
1. For Dashboard, click New.
2. For Dashboard Title, type Buttercup Games - Purchases.
The Dashboard ID field displays buttercup_games__purchases.
3. For Dashboard Description, type Reports on Buttercup Games purchases data.
4. For Dashboard Permissions, keep the default setting Private.
5. For Panel Title, type Top Purchases by Category.
6. For Panel Powered By, keep the default setting Inline search.
7. For Panel Content, keep the setting for Pie Chart.
78
7. Click Save.
8. In the confirmation dialog box, click View Dashboard.
You now have a dashboard with one report panel. To add more report panels, you can either run new searches and save
them to this dashboard, or you can add saved reports to this dashboard. You will add more panels to this dashboard in
the next section.
For now, let's spend a little bit more time on this dashboard panel.
View and edit dashboard panels
There is a separate view to see a list of the dashboards that you have access to. From this view, you can create
dashboards, and make changes to dashboards and dashboard panels.
1. Click Dashboards in the App bar to see the Dashboards view.
You might see a pop-up dialog box asking if you want to take a tour about dashboards. If you take the
tour, there is an option at the end of the tour to try dashboards yourself. This option displays the
Dashboards view.
79
2. For the Buttercup Games - Purchases dashboard, click the arrow ( > ) symbol in the i column to expand the
dashboard information.
You can see information about the app that this dashboard is associated with, whether or not the
dashboard is scheduled, and dashboard permissions.
Add controls to a dashboard
You can add input controls, such as the Time range picker, to dashboard panels.
1. In the Dashboards list, click Buttercup Games - Purchases to display that dashboard.
2. Click Edit.
80
You can either edit the dashboard using the UI or the Source. With the UI option you can add panels and
inputs to the dashboard.
• Use the Add Panel option to create a new panel, add a report as a panel, or clone from an existing dashboard.
• Use the Add Input option to choose from a list of controls to add to the dashboard, including text, a checkbox,
and a time range picker.
With the Source option, you can edit the XML source for the panel directly. Editing the source directly is not
discussed in this tutorial.
• This panel does not have a time range picker. Let's add one. Click Add Input, and select Time.
81
The Time range picker input control appears on the dashboard.
• Click the Edit Input icon for the Time range picker. The icon looks like a pencil.
This opens a set of input controls. The Time input type is selected.
1. For Label, type Time range

2. For Token, replace field 1 type BG_Purchases_Time_Range.
The controls that you add to a dashboard have identifiers called input tokens. This step redefines the
name of the input token for the Time range picker. The default names for input tokens are field1, field2,
field3, and so on. You can change the input tokens when you add controls to your dashboard. Naming
the tokens makes it easier to understand which input you are working with. In this example you used a
token name that includes the a short version of the dashboard title.
3. For Default, change the default time range to Previous week.
4. Click Apply.
The input controls that you add to a dashboard are independent from the dashboard panels. If you want
the chart on the panel to refresh when you change the time range, you need to connect the dashboard
panel to the Time range picker input control.
• In the dashboard panel, click the Inline Search icon.
82
• Click Edit Search.
• In the Edit Search dialog box, for Time Range Scope select Shared Time Picker (BG_Purchases_Time_Range).
83
• Click Apply.
• Click Save to save the changes to the dashboard.
The panel is now connected to the Time range picker input control in the dashboard. This Time range picker is
referred to as the shared Time range picker. The inline search that powers the panel now uses the time range
that is specified in the shared Time range picker.
You can have dashboards that contain a mix of panels. Panels that are connected to the shared Time range picker,
and panels that show data for the time range specified in the search that the panel is based on. You will learn more
about connecting other panels to the shared time picker in the next section.
Next step
Learn about adding more panels to a dashboard.
See also
About the Dashboard Editor in Dashboards and Visualizations
Add more panels to dashboards

Earlier in this tutorial you ran searches and saved them as reports. In this section, you add the saved reports to an
existing dashboard.
Add saved reports to a dashboard
Prerequisite
Ensure that you have the Buttercup Games - Purchases dashboard displayed, which you created in the task Create
dashboards and panels.
Steps
84
1. To display a list of your dashboards, click Dashboards on the Apps bar and select the Buttercup Games -
Purchases dashboard.
2. Click Edit. The Edit Dashboard page opens.

3. Click Add Panel.
The Add Panel sidebar menu opens on the right side of the window.
4. To add a new panel from a report, click New from Report.

The list of the reports that you saved opens. The list also shows some built-in reports, such as Errors in
the last hour.
85
5. Select Purchasing trends.
A preview of the report appears. This is the sparkline chart report that you created.
86
6. Click Add to Dashboard.
The new panel is placed at the bottom of the dashboard. The Add Panel sidebar menu is still on the
screen.
7. Select the report Comparison of Actions and Conversion Rates by Product and add it to the dashboard.
8. Close the Add Panel sidebar.

9.
10. Rearrange the panels on the dashboard.
Drag and drop a panel by the panel drag and drop bar, which is at the top of the panel. When you drag a
panel, a four pointed arrow symbol appears on the drag and drop bar.
87
11. In the Edit Dashboards window, click Save to save your changes to the dashboard.
Your finished dashboard should look like the following image.
When you add more panels to a dashboard, you can connect the panels to the shared Time range picker. Repeat the
Inline Search > Edit Search steps in Add controls to a dashboard.
Adding a search to an existing dashboard
You can save an ad hoc search as a panel in an existing dashboard.
In the Enabling field lookups section in this tutorial, you created the prices_lookup. Let's use that lookup to run the
following search.
1. Click Search in the Apps bar to start a new search.

2. Make sure that the time range is set to All time.
3. Run the following search to determine the VIP client and the products that the client purchased.

dc(productId) AS "Total Products", values(productName) AS "Product Names" BY clientip | rename
clientip AS "VIP Customer"
88
4. Click Save As and choose Dashboard panel.
5. For Dashboard, click Existing and select Buttercup Games - Purchases.
6. For Panel title, type VIP Client Purchases.
7. Click Save.
8. Click View Dashboard.
9. Click Edit.
10. In the dashboard editor, drag the VIP Client Purchases panel next to the Top Purchases by Category pie chart.
11. Click Save.
89
Connecting panels to a shared Time Range Picker
The type of panel that you add to a dashboard determines whether you can connect the panel to the shared Time Range
Picker.
The Buttercup Games - Purchases dashboard now contains the panels listed in the following table.
Panel name Panel source

Top Purchases by Category Ad hoc search
Purchasing Trends Report
Comparison of Actions and Conversion Rates by Product Report
VIP Client Purchases Ad hoc search

If the panel is based on an ad hoc search, you can connect the panel to the shared Time Range Picker. If the panel is a
report, you cannot connect it to the shared Time Range Picker. Reports can be scheduled to run at a set time interval.
To connect the VIP Client Purchases panel to the shared Time Range Picker:
1. In the dashboard panel click the Edit Search icon. The icon looks like a magnifying glass.
2. In the Edit Search dialog box, for Time range select Shared Time Picker (BG_Purchases_Time_Range).
3. Click Apply.
4. In the Edit Dashboard window, click Save to save the changes to the dashboard.
The VIP Client Purchases panel is now connected to the Time range picker input on the dashboard.
When you change the time range on the dashboard, the panels that are connected to the shared Time Range Picker are
updated. The searches that the panels are based on are run again to refresh the panels.
More dashboard actions
After you complete the dashboard, use the buttons in the upper right corner to take actions on the dashboard, such as:
• Export the dashboard

• Convert the dashboard to HTML
• Edit the permissions to share the dashboard with other users
Next step
Congratulations! You have completed the Search Tutorial.
To learn more, see Additional Resources.
90
You can continue to use the tutorial data, run more searches, and create more dashboards.
The following sections provide additional information and links.
Splunk Community
The Splunk Community is amazing and full of very active members who are supportive of new users. You can search for
solutions or ask questions on Splunk Answers, connect with helpful and fun Splunk enthusiasts through chat groups, or
meet users in your local area at User Groups near you. The Community portal has everything you need to discover how to
set yourself up for success with the Splunk Community.
Search resources
This tutorial was a brief introduction to navigating the search interface and using the search language. It walked you
through running some basic searches and saving the results as a report and dashboard, but you can do much more with
the Splunk software. For more details, see the following manuals:
• Search Manual: Explains how to search and use the Splunk Search Processing Language (SPLâ¢). Look here
for more thorough examples of writing Splunk searches to calculate statistics, evaluate fields, and report on
search results.
• Search Reference: Provides a reference for users who are looking for a catalog of the search commands with
complete syntax, descriptions, and examples for usage.
Splunk documentation
Splunk has a wide range of documentation, including tutorials, use cases, and manuals for administrators, developers,
and users, as well as SDK and SPL command syntax documentation.
There are separate manuals for searches, dashboards and visualizations, reports, pivots, and alerts.
You will find all of the information on the Splunk Documentation site.
Quick References
Splunk Quick Reference Guide

Contains information about fundamental concepts, features, and components in Splunk software. The guide also
includes explanations and examples of common search commands and functions.
Dashboards Quick Reference Guide
Provides an overview of the most common operations, definitions, and commands that you will use when you
create dashboards and visualizations.
Splunk Enterprise system requirements
The Search Tutorial presents a snapshot of the Splunk Enterprise system requirements. For an explanation of the
91
requirements, see System Requirements in the Installation Manual.
Accessing your data
To learn more about the types of data you can add and using apps to index data, see Get started with getting data in in
the Getting data In manual.
Education
To learn more about Splunk features and how to use them, see the Splunk selection of Education videos and classes.
Send us feedback
At the bottom of every page of this tutorial, and all of the Splunk documentation, is a quick form that you can use to send
us feedback.
92

Splunk-6 5 7-SearchTutorial

Uploaded by

Copyright:

Available Formats

Splunk-6 5 7-SearchTutorial

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Splunk-6 5 7-SearchTutorial

Uploaded by

Copyright:

Available Formats

Splunk® Enterprise

Search Tutorial 6.5.7

Copyright (c) 2022 Splunk Inc. All Rights Reserved

Part 1: Getting started..........................................................................................................................................................3

Part 2: Uploading the tutorial data....................................................................................................................................14

Part 3: Using the Splunk Search App...............................................................................................................................21

Part 4: Searching the tutorial data....................................................................................................................................29

Part 5: Enriching events with lookups..............................................................................................................................49

Part 6: Creating reports and charts..................................................................................................................................62

Part 7: Creating dashboards..............................................................................................................................................76

About the Search Tutorial

Already have access to Splunk software?

What's in this tutorial?

How to use this tutorial

• Part 1: Getting started

See also sections

• The Splunk community

To get started, continue to What you need for this tutorial.

What you need for this tutorial

Create a splunk.com account

1. In a separate browser window, go to https://www.splunk.com/.

♦ To create an account, click Sign Up and complete the registration information.

After 15 days, the access to your Splunk Cloud Trial expires.

Requirement Minimum supported hardware capacity

Windows platforms 2-core 64-bit CPU at 2GHz or greater, 4GB RAM

Download the tutorial data files

1. Download the tutorialdata.zip file. Do not uncompress the file.

Access the Trial version of the Splunk software

For this tutorial, use the latest version of the software.

1. Confirm that you are not a robot.

2 installers. A compressed TAR (.tgz) file installer and a

You must install Splunk Enterprise.

System Requirements in the Installation Manual

Install Splunk Enterprise

• Linux installation instructions

Linux installation instructions

Install the Splunk Enterprise RPM

1. Use the CLI to install Splunk Enterprise.

Install the Splunk Enterprise DEB package

1. In the CLI, type dpkg -i splunk_package_name.deb.

Install the Splunk Enterprise tar file

Windows installation instructions

1. Navigate to the folder or directory where the installer is located.

Splunk Enterprise is installed by default into the \Program Files\Splunk directory.

Continue with the tutorial with Navigating Splunk Web.

Mac OS X installation instructions

1. Navigate to the folder or directory where the installer is located.

A Finder window that contains the splunk.pkg opens.

Start Splunk Enterprise and launch Splunk Web

Install on Linux in the Installation Manual.

Launch Splunk Web

• Start Splunk Enterprise on Linux

Useful CLI commands

Start Splunk Enterprise on Windows

Start Splunk Enterprise on Mac OS X

In Mac OS X, you can start Splunk Enterprise from the Finder.

Login to Splunk Web

The Splunk Web interface is at http://localhost:8000