Splunk Search

What are the basics for using the Splunk search interface?

jmulcaster_splu
Splunk Employee
Splunk Employee

I'm new to Splunk. What are some basics I need to know about the features in the search user interface?

0 Karma
1 Solution

jmulcaster_splu
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

In Splunk Enterprise, everything revolves around search.

Note: This answer applies to Splunk Enterprise and Splunk Cloud.

The basics of Splunk search

Search Processing Language (SPL) is Splunk's query language used to express the search commands and their functions, arguments and clauses, which tell the Splunk software what to do to with the events you retrieve from the indexes. The Splunk Enterprise Search Manual is a great place to start building your SPL ninja skills.

Splunk Web is the Splunk Enterprise web-based interface. Learn about each portion of the search interface within the Search Manual.

Any search in Splunk Enterprise can be saved as a saved search, scheduled search, report, new dashboard, or a panel within an existing dashboard. Here are some terms to get you started:

  • Ad Hoc Search: An unscheduled search you can use to explore data and build searches incrementally.
  • Saved Search: A search that a user makes available for later use. A report is a type of saved search.
  • Scheduled Search: A saved search that runs on a specific interval. A scheduled report is a type of scheduled search.
  • Scheduled Alert: A scheduled alert is an alert that runs on a regular interval, making it a type of scheduled search.
  • Dashboard: A user interface associated with an app that has one or more panels that show search results.

How to get started with search

Basic Searching in Splunk

View solution in original post

jmulcaster_splu
Splunk Employee
Splunk Employee

The Splunk Product Best Practices team provided this response. Read more about How Crowdsourcing is Shaping the Future of Splunk Best Practices.

In Splunk Enterprise, everything revolves around search.

Note: This answer applies to Splunk Enterprise and Splunk Cloud.

The basics of Splunk search

Search Processing Language (SPL) is Splunk's query language used to express the search commands and their functions, arguments and clauses, which tell the Splunk software what to do to with the events you retrieve from the indexes. The Splunk Enterprise Search Manual is a great place to start building your SPL ninja skills.

Splunk Web is the Splunk Enterprise web-based interface. Learn about each portion of the search interface within the Search Manual.

Any search in Splunk Enterprise can be saved as a saved search, scheduled search, report, new dashboard, or a panel within an existing dashboard. Here are some terms to get you started:

  • Ad Hoc Search: An unscheduled search you can use to explore data and build searches incrementally.
  • Saved Search: A search that a user makes available for later use. A report is a type of saved search.
  • Scheduled Search: A saved search that runs on a specific interval. A scheduled report is a type of scheduled search.
  • Scheduled Alert: A scheduled alert is an alert that runs on a regular interval, making it a type of scheduled search.
  • Dashboard: A user interface associated with an app that has one or more panels that show search results.

How to get started with search

Basic Searching in Splunk

adukes_splunk
Splunk Employee
Splunk Employee

Added related video.

0 Karma

sloshburch
Ultra Champion

I adjusted the question and a portion of the answer to better reflect that this is about the search screen and not limited to the search app.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...