SSplunk Basic Searches

In this section, we are going to learn about the Basic Searches in the Splunk. We
will also learn about the matching string, matches searches, how to retrieve events
form the index, understanding search result, timeline of the event and pattern
visualization and statistics.

We build searches in this section that retrieve events from the index.

The data for this tutorial is taken from titaniac.csv file, which we have uploaded
earlier while the data ingestion. The file contains the information of the peoples
who were present on the titanic.

Matching Searches
The Search manager also returns matching searches, which are based on your recent
searches. The list of matching searches is useful if you want to run the same
search from yesterday or from a week ago. When you log out, your search history
will be retained.

After you start learning the search language, the search assistant becomes more
useful. The search wizard shows command information when you type search commands.

Retrieve events from the index

Let's seek to figure out how many events are there in our titanic.csv file.

You type the keywords in your search field to retrieve events that list errors or
failures. If you're using several keywords, you need to define Boolean operators
like AND, OR, and NOT.

The AND logical operator is implied when you type in multiple keywords.

For example, typing class is the same as typing titanic AND class.

I am setting the time zone for effective searching.

Start a new search.
Change the Time range to All times, which is by default 24 Hours.
To search for the terms like error, fail, failure, failed, or severe, in the
events.
Click the Search icon present at the right of the time range picker to run the
search.
For better understanding, take a look at the image below.

Splunk Basic Searches

Remember that Boolean operators must be capitalized on. The symbol asterisk (*) is
used as a wildcard symbol to match loss, loss, failure, failure, etc.

Words within parentheses are given priority when evaluating Boolean expressions.
NOT clauses shall be determined before the OR clauses. The lowest precedence is
given to clauses AND.

Understanding search results

There are four tabs below the Search bar: Activities, Patterns, Statistics, and
Visualization.
The type of search commands you are using decides what tab appears on the search
results. You'll deal with the Events tab in the early portions of this tutorial.
You'll later hear about the other tabs in this tutorial.
The tab Events displays the timeline of the events, the options list, the sidebar
Fields.
The events appear by default as a list that is ordered, starting with the most
recent event. The corresponding search words shall be highlighted in every case.
The choice List show displays the details in three columns about the case.
Change the display of the Events viewer.
Select the Listoption and click on the Table. The change in the display is done to
show the event information column, the timestamp, and columns for each of the
Selected fields.
Change the display back to the list.
Timeline of events
The Event Timeline is a visual representation of the number of events occurring at
each point in time. There are clusters of bar patterns, as the timeline changes
with the search results. The height of each bar shows the number of occurrences.
Timeline peaks or valleys can signify activity spikes or server downtime. The
timeline shows incident trends or peaks and lows of event activity. The choices for
the timetable are above the timeline. You can zoom in, zoom out, and adjust the
timeline chart's size.

Fields sidebar
When adding data to the Splunk platform, it indexes the data. Information is
extracted from the data as part of the indexing process, and structured as name and
value pairs, called fields. When you run a search, next to your search results, the
fields will be marked and described in the sidebar Fields. Fields are broken down
into two groups.
Selected fields are visible in the event results. By default, host, source, and
source type appear. You can choose other fields to show in your events in your
results.
Interesting fields are the fields that have been extracted from the events.
You can hide the field's sidebar to maximize the results area.

Patterns, Visualizations, and Statistics

The Patterns tab represents a list of the most common patterns in the collection of
events that your search returns. Each of these patterns represents incidents having
a common structure.

When you run a quest, the Statistics tab populates with transforming commands such
as stats, top, map, etc.

The Visualization tab also fills in searches with transforming commands. The
Visualizations tab results region contains a diagram and the statistics table used
to create the diagram.

You'll learn how to convert commands, and use the tabs Statistics and
Visualizations, later in the tutorial.

How to search in Splunk

Splunk has a new and fast searching functionality. It helps us to search the whole
data set that is ingested in Splunk. We can use this feature just by clicking on
the Search & Reporting option present on the left side of your Splunk platform.
Click on it.

Splunk Basic Searches

After you click on this option, a new page will appear on the screen stating New
Search on the top of the window.

Here we are given a search bar on the top where we can search anything we want from
our uploaded database.

We will write the index and the name, as shown in the image below, that we provided
in our index name while we uploaded the data in the Data Ingestion tutorial. We can
press the enter button from our keyboard, or we can also click on the search icon
that is present on the right end of the search bar.
Note

Make sure you set the time zone of the search to the All-Time as we have discussed
at the starting of this tutorial under the heading Setting the time zone for
effective searching.
It is a very important step to set the time of searching as the default feature of
Splunk is that provides timestamp to every data that comes in and goes out of the
Splunk.
Many times, it happens that we search our data in the wrong time zone due to which
we are not able to get the effective result from our Splunk platform. In this time
zone, we have several options with the help of which we can effectively set out the
time zone. We can set it in the Real-Time, Relative Time or All time.
We can also set the date in our time zone option between which we want our data to
be effectively searched.
As we click on the Search button after setting up the right time zone, we will get
the result. The result will consist of all the data that is associated with the
index named as titanic, as we can see on our screen.

Splunk Basic Searches

Combining Searching Terms
We can also search on our search bar by combining the different search perimeter's
in it. But we have to make sure that the searching term must be in the same format
as it is in the file or the Fields because Splunk searching is case sensitive.

Sometimes writing the string may not return the value, so we must take care that
for combining the different search perimeter, we must write the search string under
the double-quotes.

Splunk Basic Searches

Using the wildcard
We can also use the wild card for effective searching in our data set. We can also
combine our wild card with other logical operators like AND, OR. In the search
below, we are searching for all the hometowns in our data set that starts with
letter P in the data set. After pressing the enter button, we get the following
result of all the events on our screen. This is a list of all the peoples that are
having their hometown name starting with the letter P.

Splunk Basic Searches

Refinement of Search Result
We can also refine our search results to get the optimum output from our data. We
can further improve it also by just adding a string to our search space. We just
need to write the string into our search bar and click on the search button to
search it.

In the example below, we just want to search for the word Line in our dataset, so
we just wrote Line in our search bar. Then the events returned contain the string
that we searched for. For reference, you can have a look at the image below.