Splunk Search

Discrepancy between Fundamentals PDF and Module 5 Video Regarding Timeline Search


The Splunk Fundamentals Part 1, Module 5 "Using Search" video says that both selecting and zooming into the timeline with the Zoom to Selection button reuses the same search results and does not redo the search. However, according to the Fundamentals PDF, page 67-68 it states that selecting a narrower time will not re-execute the search while zooming in with Zoom to Selection will re-execute the search. 






The Splunk documentation does not clarify.

"When you use the timeline to investigate events, you are not running a new search. You are filtering the existing search results."

"When you select a set of bars on the timeline and click Zoom to Selection, your search results are filtered to show only the selected time period. The timeline and events list update to show the results of your selection."

The documentation does not state that Zooming Out re-executes the search, but we know that is the case. It simply states that it chooses new times for the Time Range Picker. Can we assume that when new times are chosen for the Time Range Picker, a new search is executed for the new times? But if that is the case, then that means Zooming In or Zoom to Select will also re-execute the search.

When actually testing Splunk's timeline for Zooming Out and Zoom to Selection, I can see that all of the previous search results disappear, my page refreshes, and new results are displayed. Doesn't that mean the search has been re-executed? Whereas when I simply select a timeframe in the timeline (but do not press Zoom to Selection), the results change to show only the related events, but the page does not refresh.

Some official clarification or even perhaps an update of the Splunk training would be greatly appreciated.

Labels (1)
Tags (3)
0 Karma


I suggest submitting feedback on the Splunk documentation page.  The Docs team is good about adding clarifications in response to user feedback.

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...