Splunk Enterprise 6.0.

5
Search Tutorial
Generated: 9/02/2014 10:36 pm

Copyright (c) 2014 Splunk Inc. All Rights Reserved

 Table of Contents
Introduction..........................................................................................................1
About the Search Tutorial.........................................................................1

Part 1: Downloading and installing Splunk Enterprise....................................3

What you need for this tutorial..................................................................3
Install Splunk Enterprise on Linux, Windows, or Mac OS X......................4
Start Splunk Enterprise and launch Splunk Web......................................7

Part 2: Getting started with Splunk Enterprise...............................................11

About Splunk Home................................................................................11
Navigating Splunk Web...........................................................................13

Part 3: Getting data into Splunk Enterprise....................................................16

About getting data into Splunk Enterprise...............................................16
Get the tutorial data into Splunk..............................................................18

Part 4: Using Splunk Search.............................................................................22

About the Search dashboard..................................................................22
About the time range picker....................................................................25
About search actions and modes............................................................26
About the search results tabs..................................................................28

Part 5: Searching the tutorial data...................................................................32

Start searching........................................................................................32
Use fields to search.................................................................................34
Use the search language........................................................................38
Use a subsearch.....................................................................................42
Use field lookups.....................................................................................44

Part 6: Saving and sharing Reports.................................................................52

About saving and sharing reports...........................................................52
More searches and reports.....................................................................56

Part 7: Creating dashboards.............................................................................61

About dashboards...................................................................................61
Creating dashboards and dashboard panels..........................................62

i
 Table of Contents
Next steps...........................................................................................................67
More Splunk Search resources...............................................................67

ii
Introduction

About the Search Tutorial

Splunk Search is the primary interface for using Splunk Enterprise to run
searches, save reports, and create dashboards. This Search Tutorial is written
for the user who is new to Splunk Enterprise and the Splunk Search feature.

What's in this tutorial?

This manual guides the first user through adding data, searching the data, saving
the searches as reports, and creating dashboards. If you're new to Splunk
Search, this is the place to start.

• Part 1: Downloading and installing Splunk Enterprise takes you

through the steps to download, install, and start Splunk Enterprise on your
platform.
• Part 2: Getting started with Splunk Enterprise describes Splunk Web,
which is the interface for using Splunk Enterprise and Search.
• Part 3: Getting data into Splunk Enterprise walks you through adding
the tutorial data into Splunk Enterprise. The tutorial data, which is a
sample data set composed of web server and MySQL logs for a fictional
online game store, is included for download.
• Part 4: Using Splunk Search describes the parts of Splunk Web you
need to to run searches, including the search dashboards, the timerange
picker, search actions, and other options.
• Part 5: Searching the tutorial data teaches different ways to search and
includes using fields, using the search language, subsearches, and field
lookups.
• Part 6: Saving and sharing reports describes the steps to save and
share your searches as reports.
• Part 7: Creating dashboards discusses how to create dashboards
targeted to meet different business needs.

Make a PDF

For a PDF version of this manual, click the red Download the Search Tutorial
as PDF link below the table of contents on the left side of this page.

Note: Do not copy and paste searches directly from the PDF document into

1
Splunk Web. In some cases, doing so causes errors because of hidden
characters that are included in the PDF formatting.

2
Part 1: Downloading and installing Splunk
Enterprise

What you need for this tutorial

Before you can start this tutorial, download, install, and start Splunk Enterprise.

If you have access to a running Splunk server instance, skip this section and
start with Part 2: Getting started with Splunk.

System requirements

Splunk Enterprise runs on most computing platforms: Linux, UNIX, Windows, and
Mac OS. For this tutorial, you need a computer or laptop that meets the
specifications listed in the table.

Platform Minimum supported hardware capacity

Non-Windows platforms 1x1.4 GHz CPU, 1 GB RAM
Windows platforms Pentium 4 or equivalent at 2Ghz, 2GB RAM

After you install Splunk, access it using a web browser. Splunk 6.0+ supports the
latest versions of Firefox, Chrome, and Safari browsers.

This is a snapshot of the Splunk Enterprise system requirements. See the

"System Requirements" topic in the Installation manual.

Download the latest version of Splunk Enterprise

Download the latest version of Splunk Enterprise from the download page on
Splunk.com.

If you are not logged into Splunk.com, click the download package to go to a
registration form. If you do not have a Splunk.com account, sign up for one.

This tutorial focuses on Linux, Windows, and Mac OS X. The differences

between OS-specific functionality are mentioned throughout this tutorial.

3
 • Splunk provides three install options for Linux, an RPM download for
RedHat, a DEB package for Debian Linux, and a tar file installer. For this
tutorial, you can use any of these installers.
• Splunk provides two Windows installers, an MSI file and a compressed
zip file. For this tutorial, use the MSI file graphical installer.
• Splunk provides two Mac OS X installers, a DMG package and a tar file
installer. For this tutorial, use the DMG packaged graphical installer.

Splunk licenses

Splunk licenses limit the volume of data that your Splunk installation can index
in a single day. Splunk runs with either an Enterprise license or a Free license.
When you download Splunk for the first time, you get an Enterprise trial license
that expires after 60 days. This trial license entitles the server to 500PM per day
indexing volume and all of the Enterprise features. See more about "Types of
Splunk licenses" in the Admin manual.

Next steps

The remaining topics of this section take you through installing and starting
Splunk Enterprise.

Install Splunk Enterprise on Linux, Windows, or

Mac OS X
This topic provides brief installation instructions for the Linux, Windows, or Mac
OS X platform.

If you have problems installing Splunk Enterprise on one of these platforms or

you want to complete this tutorial on another supported OS, see the
"Step-by-step installation instructions" for that platform and continue to Part 2:
Getting started with Splunk.

Linux installation instructions

Splunk Enterprise provides three Linux installer options: an RPM, a DEB, and a
compressed .tar file. Installation instructions for each installer follows.

4
Note: You must have access to a command-line interface (CLI). When you type
in the installation commands, replace splunk_package_name with the file name of
Splunk Enterprise installer.

By default, Splunk Enterprise installs into the /opt/splunk directory on Linux.

To install the Splunk RPM,

1. Type the following into the CLI. Use the optional --prefix flag to install Splunk
into a different directory.

rpm -i --prefix=/opt/new_directory splunk_package_name.rpm

To install the Splunk DEB package,

1. Type the following into the CLI. You can only install the Splunk DEB into the
default /opt/splunk directory.

dpkg -i splunk_package_name.deb

To install Splunk using the compressed tar file,

1. Expand the file into the appropriate directory using the tar command. The
default install directory is /splunk in the current working directory. To install into a
specific directory, such as /opt/splunk, use the -C option.

tar xvzf splunk_package_name.tgz -C /opt

For detailed instructions about installing Splunk Enterprise on Linux, see the
"Step-by-step Linux installation instructions" in the Installation manual.

Windows installation instructions

Follow these steps to install Splunk Enterprise using the MSI graphical installer.

1. To start the installer, double-click the splunk.msi file.

2. In the Welcome panel, click Next.

3. Read the licensing agreement and select "I accept the terms in the license
agreement" check box.

5
4. Click Next.

5. In Customer Information, enter the requested details and click Next.

6. In the Destination Folder panel, click Change... to specify a different location,

or click Next to accept the default value.

Splunk Enterprise is installed by default into the \Program Files\Splunk

directory.

7. In the Logon Information panel, select Local system user and click Next.

To learn about the other user option, see the instructions for "installing Splunk
Enterprise on Windows" in the Installation manual.

8. After you specify a user, the pre-installation summary panel appears. Click
Install.

9. In the Installation Complete panel, select the Launch browser with Splunk
and Create Start Menu Shortcut check boxes

10. Click Finish.

The installation finishes, Splunk Enterprise starts, and Splunk Web launches in a
supported browser.

Mac OS X installation instructions

Follow these steps to install Splunk using the DMG graphical installer.

1. Navigate to the folder or directory where the installer is located.

2. Double-click on the DMG file.

A Finder window containing splunk.pkg opens.

3. Double-click on splunk.pkg.

The Splunk installer opens and displays the Introduction, which lists version and
copyright information.

4. Click Continue.

6
The Select a Destination window opens.

5. Choose a location to install Splunk.

• To install in the default directory, /Applications/splunk, click the hard

drive icon.
• To select a different location, click Choose Folder.

6. Click Continue.

The pre-installation summary appears. I

7. (Optional) To make changes, do one of the following actions.

• Click Change Install Location to choose a new folder.

• Click Back to go back a step.

8. Click Install.

Your installation begins.

8. When your install finishes, click Finish.

The installer places a shortcut on the Desktop.

Next steps

Continue to "Start Splunk Enterprise and launch Splunk Web" to start Splunk.

Start Splunk Enterprise and launch Splunk Web

You downloaded and installed Splunk Enterprise. This topic explains how to start
Splunk Enterprise and launch Splunk Web.

About starting Splunk Enterprise

When you start Splunk Enterprise, you start two processes, splunkd and
splunkweb.

• splunkd is a distributed C/C++ server that accesses, processes, and

indexes streaming machine data and handles search requests.

7
 • splunkweb is a Python-based application server that provides the Splunk
Web interface that you use to search and navigate your machine data and
manage your Splunk deployment.

After you start Splunk Enterprise, accept the license agreement and use a
supported web browser to access Splunk Web.

Start Splunk Enterprise on Windows

After the Windows installation finishes, Splunk Enterprise starts and launches
Splunk Web in a supported browser. If Splunk Enterprise did not start, you have
the following options:

• Start Splunk Enterprise from the Start menu.

• Use the Windows Services Manager to start and stop splunkd and
splunkweb.
• Open a cmd window, go to \Program Files\Splunk\bin, and type

> splunk start

Start Splunk Enterprise on Linux

After you install Splunk Enterprise, use the Splunk CLI to start it. Simplify the CLI
access by adding a SPLUNK_HOME environment variable for the top level
installation directory and adding $SPLUNK_HOME/bin to your shell's path.

If you installed in the default location for Linux, your export path should look like
this:

# export SPLUNK_HOME=/opt/splunk
# export PATH=$SPLUNK_HOME/bin:$PATH
For information on how to access the CLI, see "About the CLI" in the Admin
manual.

To start Splunk:

1. Type:

$SPLUNK_HOME/bin/splunk start

8
Accept the Splunk Enterprise License

After you run the start command, Splunk Enterprise displays the license
agreement and prompts you to accept the license before the startup sequence
continues.

If you have problems starting Splunk Enterprise, see "Start Splunk Enterprise for
the first time" in the Installation manual.

Other commands you might need

If you need to stop, restart, or check the status of your Splunk Enterprise server,
use these CLI commands:

$ splunk stop
$ splunk restart
$ splunk status
Start Splunk Enterprise on Mac OS X

In Mac OS X, you can start Splunk Enterprise from the Finder.

1. Double-click the Splunk icon on the Desktop to launch the Splunk helper
application, entitled "Splunk's Little Helper".

The first time you run the helper application, it notifies you that it needs to
perform a brief initialization.

2. Click OK to allow Splunk to initialize and set up the trial license.

After the helper application loads, it displays a dialog box with several options:

• Start and Show Splunk: This option starts Splunk Enterprise and directs
your web browser to open a page to Splunk Web.
• Only Start Splunk: This option starts Splunk Enterprise, but does not
open Splunk Web in a browser.
• Cancel: Tells the helper application to quit. This action does not affect the
Splunk Enterprise instance itself, only the helper application.

After you make your choice, the helper application performs the requested
application and stops. Run the helper application again to either show Splunk
Web or stop Splunk Enterprise.

9
Use the helper application to stop Splunk Enterprise if it is running.

Launch Splunk Web

At the end of the startup sequence, Splunk gives you a message about where to
access Splunk Web:

The Splunk Web interface is at http://localhost:8000

Splunk Web runs by default on port 8000 of the host on which it is installed. If
you use Splunk on your local machine, the URL to access Splunk Web is
http://localhost:8000.

If you use an Enterprise license, when you launch Splunk Enterprise for the first
time, this login screen appears. Follow the message to authenticate with the
default credentials.

If you are using a Free license, you do not need to authenticate to use Splunk
Enterprise. In this case, when you start Splunk Enterprise you do not see this
login screen. Instead, you go directly to Splunk Home or whatever is set as the
default app for your account.

When you sign in with your default password, Splunk asks you to create a new
password. You can either skip this or change your password to continue.

The first page you see is Splunk Home.

Next steps

This completes Part 1 of the Search Tutorial. Continue to Part 2: Getting started
with Splunk.

10
Part 2: Getting started with Splunk
Enterprise

About Splunk Home

Splunk Home is your interactive portal to the apps and data accessible from this
Splunk instance. The main parts of Home include a search bar and three panels:
Apps, Data, and Help.

Finding Splunk Home

If this is a new installation, Splunk Home is the first page that you see when you
log into Splunk for the first time. Otherwise, your account might be configured to
start in another view such as Search or Pivot in the Search & Reporting app.

You can return to Splunk Home from any other view by clicking the Splunk logo
at the top left in Splunk Web.

11
App search bar

The app search bar is a shortcut that lets you run a search in a specified app
context, without clicking through to the app. It is similar to the standard Splunk
search bar and includes a time range picker. It also includes an App menu that
lets you select the app context in which to run your search.

Apps and workspaces

In the Apps panel, you will see workspaces for the apps that are installed on your
Splunk server that you have permission to view. The workspace displays a menu
of the views and objects in the app context. Select the App to open it or select a
content page listed in the workspace to go directly to that view.

For an out-of-the-box Splunk Enterprise installation, you see one App in the
workspace. When you have more than one app, you can drag and drop the apps
within the workspace to rearrange them.

Discover new apps or manage existing apps by clicking the buttons at the bottom
of the panel:

• Find more apps to install on Splunk.

• Manage apps already installed on Splunk.

Data panel

The Data panel is a shortcut to add new data and manage your data inputs.
When you have data in Splunk, you can see a brief summary of it in the Data
panel.

12
The Data panel displays statistical data about events indexed by the local Splunk
Enterprise instance. It shows how long ago data was indexed earliest and latest
and the volume of data you have in this instance.

Help panel

The Help panel provides links to pages that help you learn how to use Splunk
Enterprise, including video tutorials, the Splunk Answers forums, the Splunk
Support portal, and Splunk Enterprise online documentation.

Next steps

Continue to the next topic to learn how to navigate your Splunk instance.

Navigating Splunk Web

The Splunk bar, which is the black bar at the top of Splunk Web, gives you
answers to these questions:

• What other pages are there in Splunk Web?

• How do you view or change the system configurations?
• How do you edit account settings or log out?

This topic discusses how to use the Splunk bar to navigate Splunk Web.

Use the Splunk bar

The Splunk bar lets you navigate your Splunk instance. It is common to every
page in Splunk. You can use it to switch between apps, manage and edit your
Splunk configuration, view system-level messages, and monitor the progress of
search jobs.

13
Return to Splunk Home

Click the Splunk logo on the navigation bar to return to Splunk Home from any
other view in Splunk Web.

Apps menu

The Apps menu lists the apps that you have permission to view and run. You can
Find more apps and Manage apps from this menu.

Settings menu

The Settings menu lists the configuration pages for Knowledge objects,
Distributed environment settings, System and licensing, Data, and Authentication
settings. If you don't see some of these options, you do not have the permissions
to view or edit them.

User menu

The User menu here is called "Administrator" because that is the default user
name for a new installation. You can change this display name by selecting Edit
account. You can also change the time zone settings, select a default app for
this account, and change your password. The User menu is also where you

14
Logout of Splunk.

Messages menu

All system-level error messages are listed here. You see a notification (in red)
when there is a new message to review. Click the X to remove the message.

Activity menu

The Activity menu lists shortcuts to the Jobs, Triggered alerts, and System
Activity views.

• Click Jobs to open the search jobs manager window, where you can view
and manage currently running searches.
• Click Triggered Alerts to view scheduled alerts that are triggered. This
tutorial does not discuss saving and scheduling alerts. See "About alerts"
in the Alerting Manual.
• Click System Activity to see Dashboards about user activity and status of
the system.

Help

Click Help to see links to Video Tutorials, Splunk Answers, the Splunk Support
Portal, and online Documentation.

Next steps

Now that you are more familiar with Splunk Web, add some data to Splunk
Enterprise.

15
Part 3: Getting data into Splunk Enterprise

About getting data into Splunk Enterprise

Before you can use Splunk Enterprise, you need to add data to it. When the data
source is defined, Splunk Enterprise begins to index the data stream and
transform it into a series of individual events that you can view and search. If the
results are not what you want, tweak the indexing process until you are satisfied.

This topic is a brief overview of the types of data that you can add to Splunk, the
ways to get that data into Splunk, and where Splunk stores that data after you
add it.

What kinds of data?

Splunk Enterprise works with any data. In particular, all IT streaming and
historical data. This data is from event logs, web logs, live application logs,
network feeds, system metrics, change monitoring, message queues, archive
files, and so on.

The data can be on the same machine as the Splunk indexer (local data), or it
can be on another machine (remote data). For information on local versus
remote data, see "Where is my data?" in the Getting Data In manual.

In general, categorize input sources as follows:

• Files and directories: A lot of data you might be interested in comes

directly from files and directories.
• Network events: Splunk can index remote data from any network port
and SNMP events from remote devices.
• Window sources: The Windows version of Splunk includes a wide range
of Windows-specific inputs, including Windows Event Log, Windows
Registry, WMI, Active Directory, and Performance monitoring.
• Other sources: Splunk also supports other input sources, such as FIFO
queues and scripted inputs for getting data from APIs and other remote
data interfaces.

For information about data and Splunk Enterprise, see "What Splunk can index"
in the Getting Data In manual.

16
How to specify data inputs

You add new types of data to Splunk by defining the input sources. There are a
number of ways to do this:

• Splunk Web. You can configure most inputs using the Splunk Web data
input pages. These views provide a GUI-based approach to configuring
inputs. Use this method to add the tutorial data into Splunk.
• Apps. Splunk has a large variety of apps and add-ons that offer
preconfigured inputs for types of data sources. For more information, see
"Use apps."
• Splunk's CLI. You can use the CLI (command line interface) to configure
most types of inputs. See "Use the CLI."
• The inputs.conf configuration file. When you specify your inputs with
Splunk Web or the CLI, the configurations are saved in an inputs.conf file.
To handle some advanced data input requirements, you might need to edit
that file directly. See "Edit inputs.conf" in the Getting Data In manual.

For more information on configuring inputs, see "Configure your inputs" in the
Getting Data In manual.

Where Splunk stores data

A Splunk data repository is called an index. During indexing (or event

processing), Splunk processes the incoming data stream to enable fast search
and analysis, storing the results in the index as events.

Events are stored in the index as a group of files that fall into two categories:

• Rawdata, which is the raw data in a compressed form.

• Index files and some metadata files that point to the raw data.

These files reside in sets of directories, called buckets, organized by age. For
information, see "How Splunk stores indexes" in the Managing Indexers and
Clusters manual.

Splunk, by default, puts all user data into a single, preconfigured index. It also
uses several other indexes for internal purposes. You can add new indexes and
manage existing ones to meet your data requirements. See "About managing
indexes" in the Managing Indexers and Clusters manual.

17
Next steps

Now that you're more familiar with Splunk data inputs and indexes, see "Get the
tutorial data into Splunk Enterprise."

Get the tutorial data into Splunk

This topic walks you through downloading the tutorial data set and adding it into
Splunk Enterprise. You can complete this tutorial in several hours, but if you want
to spread it out over a few days, download a new sample data file and add it.

Download the sample data file

Download but do not uncompress the tutorial data file here:

http://www.splunk.com/base/images/Tutorial/tutorialdata.zip

This tutorial data file is updated daily and shows events timestamped for the
previous 7 days.

Add the sample data into Splunk Enterprise

1. Log into Splunk.

If you're not in Splunk Home, click the Splunk logo on the Splunk bar.

2. In the Data panel, click Add data.

The Add data window opens, which provides a list of data types and sources that
you can select from. The tutorial data is a compressed file source.

18
3. Under Or Choose a Data Source, click From files or directories.

The Data preview dialog box opens, which lets you preview the data before you
add it to a Splunk index. For this tutorial, you do not do this. To read more about
data preview, see "Overview of data preview" in the Getting Data In manual.

4. Select Skip preview and click Continue.

This takes you to Add new Fields & directories view, where you tell Splunk how
to access the data source.

5. Under Source, select Upload and index a file and browse for the tutorial data
file, tutorialdata.zip.

19
The source of a file or directory is the full pathname to the file or directory.

6. Select More settings.

The More settings option lets you override the default settings for Host, Source
type, and Index. For this tutorial, you need to modify the host settings to assign
host names to the events based on the file's location in the compressed file.

6.1. Select Segment in path from the menu.

6.2. Type in 1 for the segment number.

7. Click Save.

A message appears saying the upload was successful.

8. Click the Splunk logo on the Splunk bar to return to Home.

The Data panel in Home displays a summary of the data you added. If you do not
have other data in your Splunk index, the data panel looks like this:

20
Data summary

This compressed tutorial data includes events generated for a fictitious online
game store, Buttercup Games. There are five hosts and eight sources. The
events represent data from three source types:

• Apache web server logs

• Secure server logs
• Global sales vendors

Next steps

Now that you added the tutorial data, learn about the Search app and start
searching the tutorial data.

21
Part 4: Using Splunk Search

About the Search dashboard

In the previous chapter, you learned about the types of data Splunk Enterprise
works with, downloaded the tutorial sample data, and added the data into your
Splunk index. This chapter familiarizes you with Splunk Search. There are a few
things to cover before you start searching the sample data.

Find Splunk Search

If your are in Splunk Home, look for the Search & Reporting app and click
Search. This takes you to the Search landing page.

Before you run a search...

Before you run a search, the main parts of Search are the search bar, the time
range picker, the How to search panel, and the What to search panel.

Search bar

Use the search bar to run your searches in Splunk Web. Type in your search
string and hit enter or click the spyglass icon to the right of the time range picker.

Time range picker

Use the time range picker to retrieve events over a specific time period. For
real-time searches you can specify a window over which to retrieve events. For
historical searches, you can restrict your search by specifying a relative time
range (15 minutes ago, Yesterday, and so on) or a specific date and time range.
The time range picker has many preset time ranges that you can select from, but

22
you can also enter a custom time range.

The time range picker is discussed in detail in, "About the time range picker".

How to search

The "How to search" panel links you to the Search Tutorial and Search Manual to
learn about how to write searches.

What to search

The "What to search" panel displays a summary of the data that is installed on
this Splunk instance and that you are authorized to view. To see this data, click
Data Summary.

The Data Summary dialog box opens, which displays three tabs: Hosts, Sources,
Sourcetypes.

The host of an event is typically the host name, IP address, or fully qualified
domain name of the network machine from which the event originated.

The source of an event is the file or directory path, network port, or script from
which the event originated.

The source type of an event tells you what kind of data it is, usually based on
how it's formatted. This classification lets you search for the same type of data

23
across multiple sources and hosts.

For information about how Splunk Enterprise source types your data, read "Why
source types matter" in the Getting Data In manual.

After you run a search

Type the following into the searchbar:

buttercupgames
The New Search page opens. The search bar and time range picker are still
available in this view, but the dashboard updates with many more elements:
search action buttons and search mode selector; counts of events; job status bar;
and tabs for Events, Statistics, and Visualizations.

The next topics in this chapter discuss each of these parts of the Search view.

Next steps

Continue reading to learn about restricting searches to a time range.

24
About the time range picker
The time range picker lets you set time boundaries on your searches. You can
restrict the search to Preset time ranges, custom Relative time ranges, and
custom Real-time ranges or specify a Date Range or a Date & Time Range.

For this tutorial, you will select from the time range Presets and define custom
Relative time ranges.

Time range presets

The time range picker Presets are a set of time ranges that are defined in Splunk
Enterprise out-of-the-box.

By default, the time range for a search is set to All time. Usually, when you run a
search over large volumes of data, you see faster results if you run the search
over a smaller time period. To change the default time range for your searches,
see "Change the default selected time range" in the Search manual.

When troubleshooting an issue where you know the ballpark range for when the
issue occurred, narrow the time range of the search to that time period. For
example, if you are investigating an incident that occurred yesterday, you select
Yesterday or Last 24 hours. If you're investigating an incident that occurred 10
minutes ago, you select Last 15 minutes or Last 60 minutes.

Custom time ranges

If one of the Presets is not what you want, you can define a custom time range,
such as a Relative time range or a Date & Time Range.

25
If you are interested in events in the last two hours, you can specify it with the
Relative time range option.

For example, you can specify the earliest time to read "2 Hours Ago" and latest
time to be either "now" or "Beginning of the current hour".

You can narrow down more precisely into the time range when you specify a
Date & Time Range.

For example, if you are interested in events that occurred on September 30th at
8:42 PM. You can specify the earliest time to be 09/30/2013 08:40:00.000 and
the latest time to be 09/30/2013 08:45:00.000.

Next steps

Continue reading to learn about search actions and search modes.

About search actions and modes

This topic explains search actions and search modes that you can use to control
your search experience.

26
Control search job progress

After you launch a search, you can access and manage information about the
search's job without leaving the Search page. Click Job and choose from the
available options there.

You can:

• Edit the job settings. Select this option to open the Job Settings dialog
box, where you can change the job's read permissions, extend the job's
lifespan, and get a URL for the job that you can use to share the job with
others or put a link to the job in your browser's bookmark bar.
• Send the job to the background. Select this option if the search job is
slow and you want to run the job in the background while you work on
other Splunk Enterprise activities (including running a new search job).
• Inspect the job. Opens a separate window and displays information and
metrics for the search job using the Search Job Inspector.
• Delete the job. Use this option to delete a job that is running, is paused,
or which has finalized. After you delete the job, you can save the search
as a report.

See "Saving and sharing jobs in Splunk Web" in the Knowledge Manager
manual.

Change the search mode

The Search mode controls the search experience. You can set it to speed up
searches by cutting down on the event data it returns (Fast mode), or you can set
it to return as much event information as possible (Verbose mode). In Smart
mode (the default setting) it toggles search behavior based on the type of search
you're running.

27
See "Set search mode to adjust your search experience" in the Search manual.

Save the results

The Save as menu lists options for saving the results of a search as a Report,
Dashboard Panel, Alert, and Event type.

Other search actions

Between the job progress controls and search mode selector you can Share,
Export, and Print the results of a search.

• The Share options shares the search job. This option extends the job's
lifetime to seven days and set the read permissions to Everyone.
• The Export option exports the results. Select this option to output to CSV,
raw events, XML, or JSON and specify the number of results to export.
• The Print option sends the results to a printer that has been configured.

Use the Close button to cancel the search and return to Splunk Home.

Next steps

Continue to the next topic for a discussion about the format of the search results.

About the search results tabs

28
This search discusses the three search results tabs: Events, Statistics, and
Visualizations.

When you run a search, the types of search commands you use affects which
search results tab get populated. If your search retrieves events, you can view
the results in the Events tab, but not in the other tabs. If your search includes
transforming commands, view the results in the Statistics and Visualization tabs.

Events

The following search retrieves events and populates the Events results tab:

Timeline of events: A visual representation of the number of events that occur

at each point in time. As the timeline updates with your search results, you might
notice clusters or patterns of bars. The height of each bar indicates the count of
events. Peaks or valleys in the timeline can indicate spikes in activity or server
downtime. Thus, the timeline highlights patterns of events or investigates peaks
and lows in event activity. The timeline options are located above the timeline.
You can zoom in, zoom out, and change the scale of the chart.

Fields sidebar: When you index data, Splunk by default extracts information
from your data that is formatted as name and value pairs, which we call fields.
When you run a search, Splunk lists all of the fields it discovers in the fields
sidebar next to your search results. You can select other fields to show in your
events. Also, you can hide this sidebar and maximize the results area.

• selected fields are set to be visible in your search results. By default, host,
source, and sourcetype appear.
• interesting fields are other fields that Splunk has extracted from your
search results.

Results area: The results area, located below the timeline, displays the events

29
that Splunk retrieves to match your search. By default, the results appear as a list
of events, ordered from most recent. Use the icons at the upper left of the panel
to view the results as a table (click on the Table icon) or chart (click on the Chart
icon).

Statistics

If you clicked the Statistics tab for the previous search example, you would not
see any results because it does not have any transforming commands.

With a transforming search, such as one to build a chart of the top product
categories sold at the Buttercup Games online store, Statistics displays a table
of results.

Visualizations

You can also view the previous example in the Visualizations tab. It displays as
a chart visualization that you can format further.

30
Next steps

This secton explained how to use and navigate the Search dashboard, but you
will not get a feel for Splunk Search until you start searching.

31
Part 5: Searching the tutorial data

Start searching
You uploaded the tutorial data file into Splunk and read about how to use Splunk
Search. In this section, you start searching that tutorial data. This topic discusses
searches that retrieve events from the index.

What to search

Click Search in the App navigation bar.

Look at the What to search panel.

Review the tutorial data, which represents a fictitious online game store, called
Buttercup Games. The tutorial data includes five hosts, eight sources, and three
source types. The three source types are Apache web access logs
(access_combined_wcookie), Linux secure formatted logs (secure), and the
vendor sales log (vendor_sales).

Most of this tutorial covers searching the Apache web access logs and
correlating it with the vendor sales logs.

Retrieve events from the index

You have data for an online store that sells a variety of games. Try to find out
what types of games are sold: strategy, arcade, simulation, shooter, sports?

1. Open Splunk Search, and type buttercupgames into the search bar:

32
As you type, the Search Assistant opens and starts suggesting completions for
your search based on terms it matches in your events. Search assistant also
displays the number of matches for the search term. This number gives you an
idea of how many search results Splunk will return. If a term or phrase doesn't
exist in your data, you will not see it listed in search assistant. Search assistant
has more uses after you start learning the search language.

If you do not want search assistant to open, click Auto Open to remove the
check mark. If you need search assistant after you turn off Auto Open, click the
down arrow below the search bar to open it back up again. You can toggle on or
off Auto Open by clicking it.

When you run the search for buttercupgames, Splunk Enterprise retrieves
36,819 events.

2. Search for simulation and strategy games. Use Boolean directives: AND, OR,
NOT. For example:

buttercupgames (simulation OR strategy)

Boolean directives must be in capital letters. The AND directive is implied
between terms, so you do not need to write it. You can use parentheses to group
terms. When evaluating boolean expressions, precedence is given to terms
inside parentheses. AND or NOT clauses are evaluated before OR clauses.

The search command

Each time you type keywords and phrases, you implicitly use the search
command to retrieve events from a Splunk index. The search command lets you
use keywords, phrases, fields, boolean expressions, and comparison
expressions to specify which events you want to retrieve.

For information about other search methods, see "Use the search command" in
the Search manual.

33
Next steps

Go to "Use fields to search" to learn how to search with fields.

Use fields to search

You can not take full advantage of the more advanced search features in Splunk
Enterprise without understanding what fields are and how to use them.

About fields

When you look at the Data Summary in the search view, you see a list of Hosts,
Sources, and Source Types that described the type of data you added to your
Splunk index. These are also default fields that Splunk extracts from the data
during indexing. They help to specify exactly which events you want to retrieve
from the index.

What are fields?

Fields exist in machine data in many forms. Often, a field is a value (with a fixed,
delimited position on the line) or a name and value pair, where there is a single
value to each field name. A field can be multivalued, that is, it can appear more
than once in an event and has a different value for each appearance.

Some examples of fields are clientip for IP addresses accessing your Web
server, _time for the timestamp of an event, and host for domain name of a
server. One of the more common examples of multivalue fields is email address
fields. While the From field will contain only a single email address, the To and Cc
fields have one or more email addresses associated with them.

In Splunk Enterprise, fields are searchable name and value pairings that
distinguish one event from another because not all events will have the same
fields and field values. Fields let you write more tailored searches to retrieve the
specific events that you want.

See "About fields" in the Knowledge Manager manual.

Extracted fields

Splunk extracts fields from event data at index-time and at search-time. See
"Index time versus search time" in the Managing Indexers and Clusters manual.

34
Default and other indexed fields are extracted for each event that is processed
when that data is indexed. Default fields include host, source, and sourcetype.
For a list of the default fields, see "Use default fields" in the Knowledge Manager
manual.

Splunk Enterprise extracts different sets of fields, when you run a search. See
"Overview of search-time field extractions" in the Knowledge Manager manual.

You can also use the Interactive Field Extractor (IFX) to create custom fields
dynamically on your local Splunk instance. IFX lets you define any pattern for
recognizing one or more fields in your events. See "Extract fields interactively
with IFX" in the Knowledge Manager Manual.

Find and select fields

Use the following syntax to search for a field: fieldname="fieldvalue" . Field

names are case sensitive, but field values are not.

1. Go to the Search dashboard and type the following into the search bar:

sourcetype="access_*"
This indicates that you want to retrieve only events from your web access logs
and nothing else.

sourcetype is a field name and access_* is a wildcarded field value used to

match any Apache web access event. Apache web access logs are formatted as
access_common, access_combined, or access_combined_wcookie.

2. In the Events tab, scroll through the list of events.

If you are familiar with the access_combined format of Apache logs, you
recognize some of the information in each event, such as:

• IP addresses for the users accessing the website.

• URIs and URLs for the pages requested and referring pages.
• HTTP status codes for each page request.
• GET or POST page request methods.

Also, these are events for the Buttercup Games online store, so you might
recognize other information and keywords, such as Arcade, Simulation,
productId, categoryId, purchase, addtocart, and so on.

35
To the left of the events list is the Fields sidebar. As Splunk Enterprise retrieves
the events that match your search, the Fields sidebar updates with Selected
fields and Interesting fields. These are the fields that Splunk Enterprise
extracted from your data.

Selected Fields are the fields that appear in your search results. The default
fields host, source, and sourcetype are selected.

You can hide and show the fields sidebar by clicking Hide Fields and Show
Fields, respectively.

3. Click All Fields.

The Select Fields dialog box opens, where you can edit the fields to show in the
events list.

You see the default fields that Splunk defined. Some of these fields are based on
each event's timestamp (everything beginning with date_*), punctuation (punct),
and location (index).

Other field names apply to the web access logs. For example, there are
clientip, method, and status. These are not default fields. They are extracted
at search time.

Other extracted fields are related to the Buttercup Games online store. For
example, there are action, categoryId, and productId.

4. Select action, categoryId, and productId and close the Select Fields window.

The three fields appear under Selected Fields in the sidebar. Also, the
field/value pairs are listed under each event if it exists in the raw data for that
event.

36
The fields sidebar displays the number of values that exist for each field. These
are the values that Splunk Enterprise indentifies from the results of your search.

5. Under Selected Fields, click the action field.

This opens the field summary for the action field.

In this set of search results, Splunk Enterprise found five values for action, and
that the action field appears in 49.9% of your search results.

6. Close this window and look at the other two fields you selected, categoryId
(what types of products the shop sells) and productId (specific catalog number
for products).

7. Scroll through the events list.

The selected fields appear under your search results if they exist in that particular
event. Different events will have different fields. If you click on the arrow next to
an event, it opens up the list of all fields in that event. Use this panel to view all
the fields in a particular event and select or deselect individual fields for an
individual event.

Run more targeted searches

The following are search examples using fields.

37
Example1: Search for successful purchases from the Buttercup Games store.

sourcetype=access_* status=200 action=purchase

This search uses the HTTP status field, status, to specify successful requests
and the action field to search only for purchase events.

You can search for failed purchases in a similar manner using status!=200,
which looks for all events where the HTTP status code is not equal to 200.

sourcetype=access_* status!=200 action=purchase

Example 2: Search for general errors.

(error OR failed OR severe) OR (status=404 OR status=500 OR status=503)

This doesn't specify a source type. The search retrieves events in both the
secure and web access logs.

Example 3: Search for how many simulation games were bought yesterday.

Select the Preset time range, Yesterday, from the time range picker and run:

sourcetype=access_* status=200 action=purchase categoryId=simulation

The count of events returned are the number of simulation games purchased.

To find the number purchases for each type of product sold at the shop, run this
search for each unique categoryId. For the number of purchases made each day
of the previous week, run the search again for each time range.

Next steps

Fields also let you take advantage of the search language, create charts, and
build charts. Continue to "Use the search language" to learn how to use the
search language.

Use the search language

The searches you have run to this point have retrieved events from your Splunk
index. You were limited to asking questions that could only be answered by the
number of events returned.

38
For example, in the last topic, you ran this search to see how many simulation
games were purchased:

sourcetype=access_* status=200 action=purchase categoryId=simulation

To find this number for the days of the previous week, you have to run it against
the data for each day of that week. To see which products are more popular than
the other, you have to run the search for each of the eight categoryId values and
compare the results.

Learn with search assistant

In the "Start searching" topic, you were introduced to the search assistant. This
section explains in more detail one of the ways you can use the search assistant
to learn about the Splunk search processing language and construct searches.

1. Return to the search dashboard and restrict your search to Yesterday:

sourcetype=access_* status=200 action=purchase

As you type in the search bar, search assistant opens with syntax and usage
information for the search command (on the right side). If search assistant
doesn't open, click the down arrow under the left side of the search bar.

You've seen before that search assistant displays typeahead for keywords that
you type into the search bar. It also explains briefly how to search.

2. Type a pipe character, " | ", into the search bar.

The pipe indicates to Splunk that you're about to use a command, and that you
want to use the results of the search to the left of the pipe as the input to this
command. You can pass the results of one command into another command in a
series, or pipeline, of search commands.

You want Splunk to give you the most popular items bought at the online store.

39
3. Under common next commands, click top.

Splunk Enterprise appends the top command to your search string.

According to search assistant's description and usage examples, the top

command "displays the most common values of a field."

4. Either click the categoryId field in the list or type it into the search bar to
complete your search:

sourcetype=access_* status=200 action=purchase | top categoryId

This populates the Statistics tab.

View reports in the Statistics tab

The results of a search are reports. The top command returns a tabulated report
for the most common values of categoryIdd. Because top is a transforming
command, this report appears in the Statistics tab.

You see that strategy games are the most popular item in the online store.

The top command also returns two new fields: count is the number of times each
value of the field occurs, and percent is how large that count is compared to the
total count. Read more about the top command in the Search reference manual.

View and format reports in the Visualization tab

View the report in the Visualization tab. By default, the Visualizations tab
opens with a Column Chart.

40
If you click on the visualization type selector, you can see that Column, Bar, and
Pie charts are recommended for this data set. Select Pie chart:

Now, you report should look like this:

You can turn on drilldown to delve deeper into the details of the information
presented to you in the tables and charts that result from your search.

If you mouse over each slice of the pie, you will see the count and percentage
values for each categoryId. Click on a slice, such as "Strategy".

41
This runs a new search, specifically for categoryId=strategy.

sourcetype=access_* status=200 action=purchase categoryId=strategy

Read more about drilldown actions in the Splunk Data Visualizations Manual.

Next steps

Go to the next topic to learn about correlating events with subsearches.

Use a subsearch
This topic walks you through examples of correlating events with subsearches.

A subsearch is a search with a search pipeline as an argument. Subsearches are

contained in square brackets and evaluated first. The result of the subsearch is
then used as an argument to the primary, or outer, search. See "About
subsearches" in the Search manual.

Why use a subsearch?

Let's try to find the single most frequent shopper on the Buttercup Games online
store and what this customer has purchased.

To do this, search for the customer who accessed the online shop the most.

1. Use the top command:

sourcetype=access_* status=200 action=purchase | top limit=1 clientip

Limit the top command to return only one result for the clientip. To see more
than one "top purchasing customer", change this limit value. For more
information about usage and syntax, see the "top" command's page in the
Search Reference manual.

42
This search returns one clientip value, which we'll use to identify our VIP
customer.

2. Use the stats command to count this VIP customer's purchases:

sourcetype=access_* status=200 action=purchase clientip=87.194.216.51 |

stats count, dc(productId) by clientip

This search used the count() function which only returns the total count of
purchases for the customer. The dc() function is used to count how many
different products he buys.

The drawback to this approach is that you have to run two searches each time
you want to build this table. The top purchaser is not likely to be the same person
at any given time range.

Example 2: With a subsearch

1. Use a subsearch to run the searches from Part 1 inline. Type or copy/paste in:

sourcetype=access_* status=200 action=purchase [search

sourcetype=access_* status=200 action=purchase | top limit=1 clientip |
table clientip] | stats count, dc(productId), values(productId) by
clientip
Here, the subsearch is the segment that is enclosed in square brackets, []. This
search, search sourcetype=access_* status=200 action=purchase | top
limit=1 clientip | table clientip is the same as Example 1 Step 1, except
for the last piped command, | table clientip

Because the top command returns count and percent fields as well, the table
command is used to keep only the clientip value.

43
These results should match the previous result, if you run it on the same time
range. But, if you change the time range, you might see different results because
the top purchasing customer will be different.

2. Reformat the results so that it is easier to read:

sourcetype=access_* status=200 action=purchase [search

sourcetype=access_* status=200 action=purchase | top limit=1 clientip |
table clientip] | stats count AS "Total Purchased", dc(productId) AS
"Total Products", values(productId) AS "Products ID" by clientip |
rename clientip AS "VIP Customer"

Next steps

In the next topic, you'll learn about adding new information to your events using
field lookups.

Use field lookups

This topic takes you through using field lookups to add new fields to your events.
Field lookups let you reference fields in an external CSV file that match fields in
your event data. Using this match, you can enrich your event data by adding
more meaningful information and searchable fields to each event.

Download and uncompress the following file:

• http://docs.splunk.com/images/d/db/Prices.csv.zip

Important: To complete the rest of the tutorial, you have to follow the procedures
in this topic. If you do not add configure the field lookup, the searches in the
following topics will not produce the correct results.

44
Find the Lookups manager

1. In the Splunk bar, on the upper right, click Settings.

2. Under Knowledge, click Lookups.

This opens the Lookups editor where you can create new lookups or edit existing
ones. You can view and edit existing lookups by clicking on the links in the table
for Lookup table files, Lookup definitions, and Automatic lookups. To add
new lookups, click Add new under Actions for that lookup item.

Upload the lookup table file

1. In the Lookups manager under "Actions" for Lookup table files, click Add new.

This takes you to the Add new' lookup table files view where you upload CSV
files to use in your definitions for field lookups.

2. To save your lookup table file in the Search app, leave the Destination app as
search.

45
3. Under Upload a lookup file, browse for the CSV file (prices.csv) to upload.

4. Under Destination filename, name the file prices.csv.

This is the name you use to refer to the file in a lookup definition.

5. Click Save.

This uploads your lookup file to the Search app and returns to the lookup table
files list.

Note: If Splunk does not recognize or cannot upload the file, check that it was
uncompressed before you attempt to upload it again.

Share the lookup table file globally

If the lookup file is not shared, you can not select it when you define the lookup.

1. Click Lookups in the breadcrumb to return to the Lookups manager.

2. Under Sharing for the prices.csv lookup table's Path, click Permissions.

This opens the Permission dialog box for the prices.csv lookup file.

3. Under Object should appear in, select All apps.

4. Click Save.

Add the field lookup definition

1. In the Lookups manager, under Actions for Lookup definitions, click Add New.

This takes you to the Add new lookups definitions view where you define your
field lookup.

46
2. Leave the Destination app as search.

3. Name your lookup prices_lookup.

4. Under Type, select File-based.

File-based lookups add fields from a static table, usually a CSV file.

5. Under Lookup file, select prices.csv (the name of your lookup table).

6. Leave Configure time-based lookup and Advanced options unselected.

7. Click Save.

This defines prices_lookup as a file-based lookup.

Share the lookup definition with all apps

1. In the Lookup definitions manage, under Sharing, click Permissions.

The Permission dialog box for the prices.lookup opens.

2. Under Object should appear in, select All apps.

47
3. Click Save.

This shares the lookup definition globally.

Make the lookup automatic

1. In the Lookups manager, under Actions for Automatic lookups, click Add
New.

This takes you to the Add New automatic lookups view where you configure the
lookup to run automatically.

2. Leave the Destination app as search.

3. Name your automatic lookup price_lookup.

4. Under Lookup table, select price_lookup.

5. Under Apply to and named, select sourcetype and type in

access_combined_wcookie.

6. Under Lookup input fields type in the access_combined_wcookie for the

sourcetype and productId in both text areas under Lookup input fields .

The input field is the field in your event data that you use to match the field in the
lookup table.

48
Splunk Enterprise matches the field in the lookup table (which is the one
specified on the left) with the field on the right (which is the field in your events).
In this case the field names match.

7. Under Lookup output fields, type in the name of the fields that you want to
add to your event data based on the input field matching and rename the fields.

7.1 In the first text area, type product_name, which contains the descriptive name
for each productId.

7.2. In the second text area, after the equal sign, type productName. This
renames the field to productName.

7.3. Click Add another field to add more fields after the first one.

7.4. Add the field price, which contains the price for each productId. Do not
rename this field.

8. Leave Overwrite field values unchecked.

9. Click Save.

This returns you to the list of automatic lookups and you should see your
configured lookup.

10. To view the the new fields in your data, first return to Search.

11. Run the search for web access activity:

sourcetype=access_*

49
12. Scroll through the fields sidebar or Fields dialog, and find the price and
productName fields.

13. Click All fields and add them to the Selected fields list.

These new fields appear in the events list.

Search with the new lookup fields

Run the previous subsearch example to see what the VIP customer bought. This
time, replace the productId field with the more readable productName:

sourcetype=access_* status=200 action=purchase [search

sourcetype=access_* status=200 action=purchase | top limit=1 clientip |
table clientip] | stats count AS "Total Purchased", dc(productId) AS
"Total Products", values(productName) AS "Product Names" by clientip |
rename clientip AS "VIP Customer"
The result is the same as in the previous subsearch example, except that the VIP
customer's purchases are more meaningful with the added descriptive product
names.

The next section takes you through saving this search as a report called "VIP
Customer".

50
Next steps

As you run more searches, you want to be able to save to reuse or share them
with other people. Go to "About saving and sharing reports" to learn about saving
and sharing reports.

51
Part 6: Saving and sharing Reports

About saving and sharing reports

In the last section you learned the basics of searching in Splunk Enterprise, how
to use a subsearch, and how to add field from lookup tables. This section takes
you through saving searches and more search examples.

Save as a report

Run the previous search again and save it as a report.

sourcetype=access_* status=200 action=purchase [search

sourcetype=access_* status=200 action=purchase | top limit=1 clientip |
table clientip] | stats count AS "Total Purchased", dc(productId) AS
"Total Products", values(productName) AS "Product Names" by clientip |
rename clientip AS "VIP Customer"

1. To save it as a report, click Save as above the search bar and select Report.

This opens the Save as Report dialog.

2. Enter a Title VIP Customer.

3. (Optional) Enter a Description Bettercup Games most frequent shopper.

52
4. Because the report is a table, for Visualization, click None.

5. To include a Time Range Picker, click Yes.

6. Click Save.

The Your report has been created dialog box opens.

There are other options in this window.

• Continue Editing lets you refine the search and report format.
• Add to dashboard lets you add the report to a new or existing dashboard.
• View lets you view the report.

7. Click View.

Find and share saved reports

You can access your saved reports using the app navigation bar.

1. Click Reports to open the Reports listing page.

When you save a new report, its Permissions are set to "Private". This means
that only you can view and edit the report. You can allow other apps to view, or
edit, or view and edit the reports by changing its Permissions.

1. Under Actions, click Edit and select Edit Permissions.

53
This opens the Edit Permissions dialog box.

2. Click App and check the box under Read for Everyone.

This action gives everyone who has access to this app the permission to view it.

3. Click Save.

Back at the Reports listing page, you see that the Sharing for VIP Customer now
reads App.

54
View and edit saved reports

You can open saved reports using the Reports listing page.

1. Click VIP Customer to open that report.

You saved this report with a time range picker, which is located to the top left.
The time range picker lets you change the time period to run this search. For
example, you can use this time range picker to run this search for the VIP
Customer Yesterday, the day before, or last month just by selecting the Preset
time range or defining a custom time range. See "About the time range picker".

About report acceleration

If your search has a large number of events and is slow to finish, you might be
able to accelerate the resulting report so it finishes faster when you run it again.
This option is available when the report produced by your search qualifies for
acceleration. The "VIP Customer" report does not qualify for acceleration,
because it is based on a transforming search.

The sample data used in this tutorial is limited in volume and the searches
throughout are run against data for one day (Yesterday). Checking this box will
not affect the speed of this search and all upcoming searches you save in this
Tutorial.

Read more about report acceleration and the kinds of searches that enable
reports to qualify for report acceleration in the "Accelerate Reports" topic in the
Reporting manual.

55
Next steps

Continue to run more search examples and save more reports.

More searches and reports

This topic takes you through more search examples.

Example 1: Compare the number of views to purchases

In this example, calculate the number of views and number of purchases for each
type of product.

This report requires the productName field from the fields lookup example. If you
did not add the lookup, refer to that example and follow the procedure.

1. Run this search:

sourcetype=access_* status=200 | chart count AS views

count(eval(action="addtocart")) AS addtocart
count(eval(action="purchase")) AS purchases by productName | rename
productName AS "Product Name", views AS "Views", addtocart AS "Adds to
Cart", purchases AS "Purchases"

The chart command is used to count the number of events that are
action=purchase and action=addtocart. You can format the visualization as a
column chart:

Alternatively, you can use the stats command to create a table of the same
statistics, and more:

sourcetype=access_* status=200 | stats count AS views

count(eval(action="addtocart")) AS addtocart
count(eval(action="purchase")) AS purchases by productName | eval
viewsToPurchase=(purchases/views)*100 | eval

56
cartToPurchase=(purchases/addtocart)*100 | table productName views
addtocart purchases viewsToPurchase cartToPurchase | rename productName
AS "Product Name" views AS "Views", addtocart as "Adds To Cart",
purchases AS "Purchases"
Here, the stats command is used instead of the chart command. The eval
command is used to define new fields, which are the percentage of views and
addtocart that lead to purchases.

2. Click Save As and select Report.

3. In the Save Report As dialog box, enter a Title, "Comparison of Product

Views and Purchases".

4. (Optional) Enter a Description, "The number of times a product is viewed,

added to cart, and purchased."

5. Click Save.

Example 2: Products purchased over time

For this report, chart the number of purchases that were completed for each item.

This report requires the productName field from the fields lookup example. If you
didn't add the lookup, refer to that example and follow the procedure.

1. Search for:

sourcetype=access_* | timechart count(eval(action="purchase")) by

productName usenull="f" useother="f"

Use the count() function to count the number of events that have the field
action=purchase. Use the usenull and useother arguments to make sure the
chart counts events that have a value for productName.

57
This produces the following statistics table.

2. Click the Visualizations tab.

If you look at the chart selection menu, the Line, Area, and Column visualizations
are recommended.

If you select Line and format the Y-axis and Legend, you can produce this chart:

Now see how it looks as an Area or Column chart.

58
3. Click Save As and select Report.

4. In the Save Report As dialog box, enter a Title, "Purchases by Product

Name".

5. (Optional) Enter a Description, "The number of purchases for each product."

6. Click Save.

Example 3: Purchasing trends

This example uses sparklines to trend the count of purchases made over time.

For stats and chart searches, you can add sparklines to their results tables.
Sparklines are inline charts that appear within the search results table and are
designed to display time-based trends associated with the primary key of each
row. See "Add sparklines to your search results" in the Search Manual.

This example requires the productName field from the fields lookup example. If
you didn't add the lookup, refer to that example and follow the procedure.

1. Run the following search:

sourcetype=access_* status=200 action=purchase| chart sparkline(count)

AS "Purchases Trend" count AS Total by categoryId | rename categoryId AS
"Category"
This search uses the chart command to count the number of purchases,
action="purchase", made for each product, productName. The difference is that
the count of purchases is now an argument of the sparkline() function.

59
3. Click Save As and select Report.

4. In the Save Report As dialog box, enter a Title, "Purchasing trends".

5. (Optional) Enter a Description, "Count of purchases with trending."

6. Click Save.

Next steps

Up to now, you saved searches as Reports. Continue "Creating dashboards" to

learn about dashboards and how to save searches and reports as dashboard
panels.

60
Part 7: Creating dashboards

About dashboards
Dashboards are views that are made up of panels that can contain modules
such as search boxes, fields, charts, tables, and lists. Dashboard panels are
usually hooked up to saved searches.

After you create a visualization or report, you can add it to a new or existing
dashboard using the Save as report dialog box. You can also use the
Dashboard Editor to create dashboards and edit existing dashboards. Using the
Dashboard editor is useful when you have a set of saved reports that you want to
quickly add to a dashboard.

Change dashboard permissions

You can specify access to a dashboard from the Dashboard Editor. However,
your user role (and capabilities defined for that role) might limit the type of access
you can define.

If your Splunk user role is admin (with the default set of capabilities), then you
can create dashboards that are private, visible in a specific app, or visible in all
apps. You can also provide access to other Splunk user roles, such as user,
admin, and other roles with specific capabilities.

For information on setting up permissions for dashboards and other knowledge

objects, see "Manage knowledge object permissions" in the Admin manual.

Change dashboard panel visualizations

After you create a panel with the Dashboard Editor, use the Visualization Editor
to change the visualization type in the panel, and to determine how that
visualization displays and behaves. The Visualization Editor lets you choose from
visualization types that have their data structure requirements matched by the
search that has been specified for the panel.

• For an overview of the visualization types and their formatting/display

options, see the "Visualization reference" topic in the Data Visualization
manual.

61
 • For more information about the data structures required the various
visualization types see "Data structure requirements for visualizations" in
the Data Visualization manual.

Edit the XML configuration of a dashboard

Although you're not required to use XML to build dashboards, you can edit a
dashboard's panels by editing the XML configuration for the dashboard. This
provides editing access to features not available from the Dashboard Editor. For
example, edit the XML configuration to change the name of dashboard or specify
a custom number of rows in a table. See "Build and edit dashboards with
SimplifiedXML" in the Developer manual.

Creating dashboards and dashboard panels

This topic walks you through saving a search as a dashboard panel and editing
the panel to add panels from saved reports.

Save a search as a dashboard panel

1. Run the following search:

sourcetype=access_* status=200 action=purchase | top categoryId

2. Click the Visualizations tab and select the Pie Chart type.

3. Click Save as and select Dashboard Panel.

The Save as Dashboard Panel dialog box opens.

62
4. Define a new dashboard to save the panel to:

4.1. For Dashboard, click New.

4.2. Enter the Dashboard Title, "Buttercup Games Purchases", The Dashboard
ID updates with "Buttercup_games_purchases".

4.3 (Optional) Add a Dashboard Description, "Reports on Buttercup Games

successful purchases data".

5. Define your dashboard panel:

5.1. Type in the Panel Title, "Top Purchases by Category"

5.2. Leave the Panel Powered By as Inline search.

6. Click Save.

The dashboard was created.

63
7. To continue, click View dashboard.

View and edit dashboard panels

After you save a dashboard, access it by clicking Dashboard in the app

navigation bar.

This takes you to the Dashboards listing page. You can Create a new
dashboard and edit existing dashboards. You see the Buttercup Games
Purchases dashboard that you created.

Click on the arrow under the i (information) to see more information about the
dashboard: What app context it is in, whether or not it is scheduled, and its
permissions.

You can use the quick links that are inline with the information to edit the
dashboard's Schedule and Permissions.

64
Add a saved report to the dashboard

1. Go back to the Buttercup Games dashboard.

2. Under Actions for Buttercup Games Purchases, click Edit and select Edit
Panels.

3. Click Add Time Range Picker and leave the default as All time.

This time range picker lets you to restrict all the inline searches that power the
panels to the same time range.

Add the another panel using one of the saved reports you created earlier:

3. Click Add Panel.

The opens the Add Panel dialog box opens.

4. For Content Type, click "Report" and select a saved report from the list,
Comparisons of Views, Adds to Cart, and Purchases.

5. Enter the Content Title, "Views, Adds to Cart, and Purchases".

6. Click Add Panel.

When you return to the dashboard you see two panels: "Top Purchases by
Category" and "Views, Adds to Cart, and Purchases".

While in the Edit Panels view, you can drag and drop a panel to rearrange it on
the dashboard.

65
7. Click Done.

Your dashboard should look like this:

Next steps

This completes the Search Tutorial.

66
Next steps

More Splunk Search resources

This tutorial was a brief introduction to navigating the search interface and using
the search language. It walked you through running some basic searches and
saving the results as a report and dashboard, but it barely cut the surface of what
you can do with Splunk Enterprise. For more details refer to the following
manuals:

• Search Manual: Explains how to search and use the Splunk Search
Processing Language (SPL?). Look here for more thorough examples of
writing Splunk searches to calculate statisitics, evaluate fields, and report
on search results.
• Search Reference Manual: Provides a reference for the Splunk
Enterprise user who is looking for a catalog of the search commands with
complete syntax, descriptions, and examples for usage. If you want to
start searching, check out the Search command cheat sheet. It is a quick
guide, complete with descriptions and examples.

We encourage you to investigate the tutorial data, run more searches, and create
more dashboards.

To learn more about the data model and pivot features of Splunk Enterprise, see
Data Model and Pivot Tutorial.

To learn more about Splunk Enterprise features and how to use them, see the
Splunk selection of Education videos and classes.

67