Basic Searching in Splunk Enterprise

Splunk How-To
22 Aug 202208:05

Summary

TLDRIn this Splunk Education video, Alex guides viewers through the basics of running searches in Splunk's Search & Reporting app. The tutorial covers navigating the app, using the search bar and time range picker, and exploring data through Table Views. The focus is on analyzing Apache server data from Buttercup Games to identify 503 errors. The video demonstrates how to refine searches with field-value pairs, wildcards, Boolean operators, and comparison operators. It also shows how to interact with events and fields to enhance searches and introduces commands for data visualization, such as stats and timechart. The video concludes with a call to action for further learning through Splunk's documentation and courses.

Takeaways

  • 🔍 **Basic Searches in Splunk**: The video demonstrates how to perform basic searches in Splunk's Search & Reporting app.
  • 📊 **Search Bar and Time Range Picker**: It introduces the search bar for entering queries and the time range picker to refine search results.
  • 🕒 **Time Range Efficiency**: Emphasizes the importance of limiting searches by time for efficiency, highlighting 'Last 7 days' as an example.
  • 🔎 **Search Assistant Features**: The script mentions the contextual matches, keyword completion, and syntax documentation provided by Splunk's search assistant.
  • 📈 **Data Exploration with SPL**: It showcases using Splunk's Search Processing Language (SPL) to explore Apache server data from a fictional company.
  • 🚫 **Filtering 503 Errors**: The video explains how to filter for specific HTTP status codes like 503 to identify server errors.
  • 🔗 **Field-Value Pairs**: It teaches how to use field-value pairs to narrow down search results to specific events, such as HTTP status codes.
  • 🌐 **Wildcards for Error Ranges**: Introduces the use of wildcards to search for a range of HTTP errors, like using '50*' to find errors in the 500 range.
  • 🔄 **Boolean Operators**: The script covers the use of Boolean operators (AND, OR, NOT) to combine search terms and refine results.
  • ✅ **Comparison Operators**: It explains the use of comparison operators (=, !=, <, <=, >, >=) to filter events based on specific conditions.
  • 📝 **Phrase Searches**: Demonstrates searching for phrases by using quotes, ensuring that events contain the exact specified phrase.
  • 🛠️ **Interactive Search Modification**: The video shows how to modify searches by interacting with event terms and fields directly within the interface.
  • 📊 **Visualization Commands**: It introduces commands like 'stats' and 'timechart' for data transformation and visualization in Splunk.
  • 📚 **Further Learning Resources**: The script concludes with suggestions for further learning, including Splunk documentation, videos, and educational courses.

Q & A

  • What is the purpose of Splunk's 'Search & Reporting' app?

    -The 'Search & Reporting' app in Splunk is used to run searches on indexed data, view search results, and create reports or visualizations to explore and analyze data efficiently.

  • What does the Splunk search assistant provide when typing in the search bar?

    -The search assistant offers contextual matches, keyword completions, and syntax documentation as you type in the search bar, helping users refine and understand their searches.

  • Why is limiting the time range in searches considered a best practice?

    -Limiting the time range helps make searches more efficient by focusing on relevant data and reducing the amount of data Splunk needs to process, which speeds up results.

  • How can you narrow search results to HTTP status code 503 errors?

    -You can narrow the results by specifying a field-value pair, such as `status=503`, to ensure only events with a status code of 503 are returned.

  • How do wildcards help in searches involving HTTP status codes?

    -Wildcards, like replacing the last digit with an asterisk (e.g., `status=50*`), allow you to search for any status code that begins with '50', returning results for any server errors in the 500 range.

  • What happens if no Boolean operator is used between search terms?

    -If no Boolean operator (like AND, OR) is used between search terms, Splunk automatically implies 'AND', meaning it searches for events containing both terms.

  • How can comparison operators be used in a Splunk search?

    -Comparison operators such as `>`, `<`, `>=`, `!=` can be used to filter results based on conditions, such as finding events with a status greater than 400 (`status>400`).

  • What is the correct way to search for specific phrases in Splunk?

    -To search for exact phrases, enclose the phrase in quotes. For example, to find events with the product name 'Dream Crusher', use `product_name="Dream Crusher"`.

  • What are the different ways you can interact with search results in Splunk?

    -You can interact with search results by hovering over and clicking terms to add or remove them from your search, or by using the fields sidebar to add field-value pairs to refine the search.

  • How can you visualize search results in Splunk?

    -You can visualize search results using commands like `stats` or `timechart`, and then select from different visualization styles such as column charts, with further formatting options available in the 'Format' and 'Trellis' menus.

Outlines

00:00

🔍 Introduction to Basic Searches in Splunk

In this section, Alex introduces the Splunk Search & Reporting app, highlighting its key components, including the search bar, time range picker, and various tools to manage searches. Alex demonstrates how to use Splunk's Search Processing Language (SPL) to explore Apache server data from Buttercup Games and troubleshoot 503 errors. The section emphasizes best practices, such as limiting searches by time to optimize performance, and introduces how Splunk's search assistant aids in refining searches.

05:02

🎮 Searching for Dream Crusher Events

This part explains how to search for specific events related to the video game 'Dream Crusher' using the product_name field in Splunk. Alex discusses the importance of using quotes to accurately search for phrases and demonstrates how to interact with highlighted search terms within events. Users can modify searches by adding, removing, or starting new searches from highlighted terms. Additionally, terms can be added from the fields sidebar, making the search process more intuitive and flexible.

Mindmap

Keywords

💡Splunk

Splunk is a software platform used for searching, monitoring, and analyzing machine-generated big data via a web-style interface. In the video, Splunk is used to demonstrate how to perform searches and analyze data within its Search & Reporting app, which is central to the video's theme of data analysis and monitoring.

💡Search Processing Language (SPL)

Search Processing Language (SPL) is Splunk's proprietary language used to query, manipulate, and visualize data stored in Splunk. The video highlights how SPL can be used to search for specific events, such as 503 errors, within a dataset, demonstrating its role in extracting valuable insights from large volumes of data.

💡Search & Reporting app

The Search & Reporting app is a core component of Splunk where users can run searches and generate reports on their data. The video walks through the interface and features of this app, such as the search bar, time range picker, and fields sidebar, emphasizing its importance in analyzing data efficiently.

💡503 error

A 503 error is an HTTP status code indicating that a server is temporarily unable to handle a request. In the video, a search for 503 errors in Apache server data is used as an example to demonstrate how Splunk can identify and analyze such errors, which is a key aspect of monitoring web server health.

💡Field-value pair

A field-value pair is a combination of a specific field and its associated value in a dataset. In the video, the concept is demonstrated by refining a search to only return events with a status field of 503, showing how field-value pairs can be used to narrow down search results for more precise analysis.

💡Boolean operators

Boolean operators like AND, OR, and NOT are used in searches to combine or exclude certain terms, refining the results. The video explains how these operators function within SPL, such as using OR to search for events with either a 500-range status or a 404 status, which helps users craft more complex and targeted queries.

💡Timeline

The timeline in Splunk's interface visualizes when events occurred over a selected time range. The video shows how the timeline updates after running a search, providing a visual representation of the frequency and distribution of events, which aids in identifying patterns or anomalies in the data.

💡Wildcard

A wildcard in SPL is a symbol (usually an asterisk) used to represent any character or set of characters in a search term. In the video, a wildcard is used to search for all HTTP errors starting with '50', demonstrating how wildcards can help users broaden their searches to capture a range of similar events.

💡Comparison operators

Comparison operators such as equal ( = ), not equal ( != ), greater than ( > ), and less than ( < ) are used in SPL to filter search results based on specific criteria. The video illustrates their usage by showing how to exclude certain status codes or find events with a status greater than 400, enhancing the precision of searches.

💡Visualization

Visualization refers to the graphical representation of data in Splunk, such as charts or graphs. The video demonstrates how to use Splunk's visualization tools to create column charts or timecharts from search results, emphasizing how visualizations can help users better understand and communicate their data insights.

Highlights

Introduction to running basic searches in Splunk's Search & Reporting app.

The app includes a search bar, time range picker, and field extraction sidebar for efficient data analysis.

Searching for a specific HTTP status code, such as 503 errors, by typing 503 in the search bar.

Using the time range picker to limit searches to the last 7 days for more efficient results.

Events returned include various matches for 503, not limited to HTTP status codes.

Refining results by using field-value pairs, like searching specifically for events with status=503.

Wildcards allow for broader searches, such as using 50* to capture all HTTP errors in the 500 range.

Boolean operators like AND, OR, and NOT can refine searches for more precise results.

Comparison operators like >, <, != can filter events based on numerical field values.

Phrases can be searched by wrapping terms in quotes, e.g., 'Dream Crusher' to find specific product data.

Clicking on highlighted text or field values adds them to the search query or starts a new search.

Splunk's Search Processing Language (SPL) enables transforming searches into visualizations and reports.

Appending the 'stats' command can summarize data, for instance, showing total sales by game title.

Using 'timechart' allows visualization of data trends over time, such as sales by day.

Visualization options include column charts and trellis layouts, providing split views of data for detailed analysis.

Transcripts

play00:09

Hello! I'm Alex with Splunk Education.

play00:12

Let's take a look at how to run basic searches

play00:16

in Splunk's Search & Reporting app.

play00:19

On the sidebar of the Splunk home page,

play00:23

we select "Search & Reporting".

play00:26

The app includes a search bar for entering our searches,

play00:29

a time range picker for the search,

play00:32

a menu to view and re-run past searches,

play00:35

links to the search documentation and tutorial,

play00:39

information on the data Splunk has indexed,

play00:42

and an option to create Table Views,

play00:44

which allow you to explore your data in a point-and-click interface.

play00:49

In this demo, we'll be using Splunk's Search Processing Language

play00:54

to explore Apache server data

play00:56

from a fictional gaming company, Buttercup Games.

play01:00

We want to see if 503 errors are occurring

play01:04

on our Web servers, so we type 503 in the search bar.

play01:09

As we type, the Splunk search assistant displays contextual matches,

play01:14

keyword completion, and syntax documentation for the search.

play01:20

We only want to see when an error happened

play01:22

over the last seven days.

play01:24

So we select "Last 7 days" in the time range picker.

play01:30

Limiting search by time is key to getting more efficient results

play01:34

and is a best practice to use for every search.

play01:39

Once the time range is selected,

play01:41

we click the search icon to send the search to Splunk.

play01:45

The interface updates to show events that include the text "503",

play01:49

a sidebar of fields that were extracted from the events,

play01:53

and a timeline of when the events happened.

play01:58

Since we searched for any event with the text "503",

play02:03

events could include an HTTP status code,

play02:06

an area code, a username,

play02:09

even the name of a file in our data.

play02:13

To limit the results to only see returned events

play02:16

containing an HTTP status of 503,

play02:20

we can search for a field-value pair.

play02:24

In the fields sidebar, we see a field called status.

play02:29

Clicking on the field name, we have links to quick reports,

play02:33

values returned, and statistics for those values.

play02:40

We change our search to use a field-value pair

play02:43

by adding the case-sensitive field name to the value we want to find.

play02:49

Now, only events with a status of 503 are returned.

play02:57

To see all errors in the 500 range, we can use a wildcard.

play03:01

Changing the last character to an asterisk will return any

play03:05

HTTP error that begins in "50".

play03:14

We can add additional terms to our search by

play03:16

using the upper case Booleans and, or, and not.

play03:23

To return results containing events with a status in the 500 range

play03:30

or a 404 status we add "OR status=404" in our search.

play03:43

This search bar includes syntax highlighting.

play03:46

Here you can see the Boolean operator is colored orange,

play03:50

making it easier to see what has been happening in our search.

play03:54

If no Boolean is used between search terms, "AND" is implied.

play04:01

The search returns no events, because Splunk is looking

play04:04

for events with a status in the 500s and a 404 status.

play04:10

We can also use the comparison operators of equal,

play04:15

not equal, less than, less than or equal to,

play04:20

greater than, or greater than or equal to in our search.

play04:26

To see any events with a status greater than 400,

play04:30

we add a "greater than" operator (>).

play04:39

To exclude any events containing a status of 400 from our events,

play04:46

we use the "not equal to" operator (!=).

play05:01

To search for phrases, we can wrap the search terms in quotes.

play05:07

To see all events related to our video game Dream Crusher,

play05:11

we search the product_name field for the phrase "Dream Crusher".

play05:20

If we remove the quotes,

play05:24

no events will be returned.

play05:27

This is because Splunk is searching for events

play05:30

that contain both the product_name value

play05:32

of "Dream" and the text "Crusher".

play05:42

We can also modify our search by interacting with events.

play05:46

As we roll over text in an event, terms are highlighted.

play05:51

Clicking on a search term allows us to add it to the search,

play05:55

remove it from the search,

play05:57

or create a new search.

play05:59

Clicking "Add to search" updates our search

play06:02

to return only events that contain the selected term.

play06:07

We can also add terms from the fields sidebar

play06:11

by clicking the field name

play06:12

and selecting the value we want to add to the search.

play06:20

We can open a whole new world of monitoring and analyzing

play06:24

by adding commands to our searches.

play06:28

This search returns all successful purchases

play06:30

from our web store over the last seven days.

play06:39

Appending a stats command with the same function

play06:44

and splitting our results by product name,

play06:49

Splunk returns a table of our total sales by game title.

play06:54

This transforming search also allows us

play06:56

to visualize the data in a column chart.

play07:03

Or, we can use a timechart command

play07:05

to see how our products have been selling by day.

play07:14

Clicking on "Column Chart" opens the visualization menu,

play07:18

where we can select a different visualization style.

play07:22

The Format menu provides additional visual formatting options,

play07:28

while the Trellis layout allows us

play07:30

to split our visualization by a selected field,

play07:34

creating multiple visualizations while running only one search.

play07:40

We have just scratched the surface of Splunk's Search Processig Language.

play07:46

We suggest you check out the documentation,

play07:48

watch additional videos on the Splunk How-To channel,

play07:51

and register for courses from Splunk Education.

play07:55

Thanks for watching!

関連動画をさらに表示

Super GOOGLE: Top 12 Advanced Search Techniques

13 Dorking

How Library Stuff Works: Boolean Operators (AND OR NOT)

Faceted Search In Oracle APEX - Part 37

MBAS906 Business Analytics Research Consultancy workshop

How to Find Government Contracts for Your Business | Step-by-Step Guide

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
関連タグ
Splunk TutorialSearch TechniquesApache LogsSPL BasicsError AnalysisData VisualizationSearch EfficiencyLog MonitoringWeb Server IssuesSplunk Education
英語で要約が必要ですか?