Basic Searching in Splunk

Sharing buttons:

hello my name is Chris B Saye and I'm

part of the spunk education team in this

video I will show you how to do some

basic searches and Splunk from the app

side bar on our Splunk launcher app we

select the search and reporting

application the app includes a search

bar for entering our searches a time

range picker for the search links to the

search documentation and tutorial

information on the data Splunk is

indexed and a menu to view and rerun

past searches in this demo we will be

using Apache server data from a

fictional game company Buttercup games

we want to see if 503 errors are

occurring on our web servers so we type

503 in the search bar as we type the

spunk search assistant displays

contextual matches keyword completion

and syntax documentation for the search

we only want to see when an error

happened over the last seven days so we

select last seven days in the time range

picker limiting a search by time is key

to getting results faster and is the

best practice to use for every search

once the time range is selected the

search is sent to Splunk the interface

updates to show events that include the

text 503 a sidebar are fields that were

extracted from the events and a timeline

of when the events happened since we

searched for any event with a text 503

events could include an HTTP status code

an area code a user name even the name

of a file in our data we only want to

see events with an HTTP status of 503 so

we use a key value pair we see there is

a status field in our field side bar

clicking on the field we have links to

quick reports values returned and

statistics for those values we change

our search to use a field value pair by

adding the case-sensitive field name to

the value we want to find

now we only get events with the status

of 5:03

if we wanted to see any 500 errors we

can use a wild card changing the last

character to an asterisk will return any

HTTP error that begins in five-0 we can

use uppercase boolean's of and or and

not with our search terms so if we want

to see events with 500 or a 404 status

we add or status equals 404 to the

search a new feature and Splunk

Enterprise is syntax highlighting here

you can see the boolean operator has

been highlighted making it easier to see

what is happening in our search if no

boolean is used between search terms and

and is implied with this search we get

no events returned because Splunk is

looking for events with a status in the

500s and the 404 status we can also use

the comparison operators of equal not

equal less than less than or equal to

greater than or greater than or equal to

in our search so to see any events with

the status greater than 400 we add a

greater than operator

or to see status not equal to 200 we add

the not equal to operator

we can use phrases in our search by

wrapping the terms and quotes to see

events for our videogame dream crusher

we search the product name filled with a

phrase of dream crusher

if we remove the quotes no events will

be returned this is because Splunk is

searching for events with the product

name of dream and the text crusher

within the events

we can also interact with events to

modify our search rolling over an event

you will see search terms highlight

clicking on one allows us to add it to

the search remove it from the search or

create a new search clicking add to

search updates the search terms to

include our selection we can also add

terms from the field sidebar by clicking

on a field and selecting the value we

want to add to the search by using

search terms with search components a

whole new world of monitoring and

analyzing opens up in this example we

are searching for products sold on our

web shopping cart using a stats command

to count them by product name sorting

them by a number sold and displaying

them in the column chart visualization

we have just skimmed the surface of the

power of the Splunk search language to

learn more about Splunk enterprise and

the Splunk search language check out our

other videos documentation or register

for courses from Splunk education happy