The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.
In Splunk Enterprise, everything revolves around search.
Note: This answer applies to Splunk Enterprise and Splunk Cloud.
The basics of Splunk search
Search Processing Language (SPL) is Splunk's query language used to express the search commands and their functions, arguments and clauses, which tell the Splunk software what to do to with the events you retrieve from the indexes. The Splunk Enterprise Search Manual is a great place to start building your SPL ninja skills.
Splunk Web is the Splunk Enterprise web-based interface. Learn about each portion of the search interface within the Search Manual.
Any search in Splunk Enterprise can be saved as a saved search, scheduled search, report, new dashboard, or a panel within an existing dashboard. Here are some terms to get you started:
- Ad Hoc Search: An unscheduled search you can use to explore data and build searches incrementally.
- Saved Search: A search that a user makes available for later use. A report is a type of saved search.
- Scheduled Search: A saved search that runs on a specific interval. A scheduled report is a type of scheduled search.
- Scheduled Alert: A scheduled alert is an alert that runs on a regular interval, making it a type of scheduled search.
- Dashboard: A user interface associated with an app that has one or more panels that show search results.
How to get started with search
- Get Started! Review Get started with Search and familiarize yourself with Splunk Web. For extra credit, Splunk Cloud users can complete the Splunk Cloud Search Tutorial, and Splunk Enterprise users can complete the Splunk Enterprise Search Tutorial, which guide you through the most valuable features of Splunk using a make-believe scenario and test data.
- Use fields to retrieve events. Use fields to retrieve events. Find all events in your data stream whose host is a web server.
- Select time ranges to add to your search. Select time ranges to add to your search. Use the time range picker to set time boundaries on your searches.
- Optimize your searches. If you've already created a few searches, see if you can improve it with best practices to write better searches and search optimization tips.
- Review basic searching in Splunk. The following video demonstrates how to perform basic searches, use the timeline and time range picker, and use fields in the Splunk Search & Reporting app.
The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.
In Splunk Enterprise, everything revolves around search.
Note: This answer applies to Splunk Enterprise and Splunk Cloud.
The basics of Splunk search
Search Processing Language (SPL) is Splunk's query language used to express the search commands and their functions, arguments and clauses, which tell the Splunk software what to do to with the events you retrieve from the indexes. The Splunk Enterprise Search Manual is a great place to start building your SPL ninja skills.
Splunk Web is the Splunk Enterprise web-based interface. Learn about each portion of the search interface within the Search Manual.
Any search in Splunk Enterprise can be saved as a saved search, scheduled search, report, new dashboard, or a panel within an existing dashboard. Here are some terms to get you started:
- Ad Hoc Search: An unscheduled search you can use to explore data and build searches incrementally.
- Saved Search: A search that a user makes available for later use. A report is a type of saved search.
- Scheduled Search: A saved search that runs on a specific interval. A scheduled report is a type of scheduled search.
- Scheduled Alert: A scheduled alert is an alert that runs on a regular interval, making it a type of scheduled search.
- Dashboard: A user interface associated with an app that has one or more panels that show search results.
How to get started with search
- Get Started! Review Get started with Search and familiarize yourself with Splunk Web. For extra credit, Splunk Cloud users can complete the Splunk Cloud Search Tutorial, and Splunk Enterprise users can complete the Splunk Enterprise Search Tutorial, which guide you through the most valuable features of Splunk using a make-believe scenario and test data.
- Use fields to retrieve events. Use fields to retrieve events. Find all events in your data stream whose host is a web server.
- Select time ranges to add to your search. Select time ranges to add to your search. Use the time range picker to set time boundaries on your searches.
- Optimize your searches. If you've already created a few searches, see if you can improve it with best practices to write better searches and search optimization tips.
- Review basic searching in Splunk. The following video demonstrates how to perform basic searches, use the timeline and time range picker, and use fields in the Splunk Search & Reporting app.
