This article will discuss the Splunk Search App and Splunk query language (SPL).
1. Using the Search App
Open the Search App
From Splunk Home, click Search & Reporting in the Apps panel. This opens the Search Summary view in the Search & Reporting app.
Search Summary view
Before running any searches, the search summary view, Figure 1. below, has common elements that will be present when using the app.
Figure 1. Search App Summary View |
Element No. | Element | Description | Additional Info |
---|---|---|---|
1 | Applications menu | Switch between Splunk applications that you have installed. The current application, Search & Reporting app, is listed. This menu is on the Splunk bar. | To get back to the search home from any view that has the Splunk bar, click the “App Search & Reporting” menu and choose “Search & Reporting” (the Splunk app) |
2 | Apps bar | Navigate between the different views in the application you are in. For the Search & Reporting app the views are: Search, Datasets, Reports, Alerts, and Dashboards. | |
3 | Search bar | Specify your search criteria. | |
4 | Time range picker | Specify the time period for the search, such as the last 30 minutes (default). |
2. Before Running a Search
Before running a search, here are a few key concepts to understand Splunk search language.
Indexes
From the Getting Started with Splunk page, by now it is understood the Splunk Indexers have indexed the data and made those indexes available for search (by index name).
Fields
Also, as data was indexed, fields are extracted and made available for search.
Time-Series Events (streaming)
Splunk processes incoming data as time-series events (or metrics which will be a future topic) and makes those events available in a streaming fashion.
The query process for streaming events is very different than the query process for classic SQL or No-SQL data stores. In terms of the query language, common terms such as ‘WHERE’ or ‘BY’ or ‘sort’ can be seen in both languages, however, the logic approach of getting and processing data in streams and transforming and forming the data in multiple passes as events stream flow through a data pipe is quite different.
Types of Search Commands
Search commands are streaming and non-streaming. Non-streaming commands are also dataset processing commands (e.g., ‘sort’ command), it just means it needs the entire dataset before processing the command
Streaming commands are commands that operate on events as they are returned by the search.
Note: the search may operate on events based on the time recorded in the event package sent to Splunk or based on the time order of when the event was processed into the index. Watch for this as you explore search commands.
Streaming Types of Commands
Streaming commands are preferred as they are more resource efficient, more performant. A non-streaming command (that needs the entire dataset) obviously has to pause to collect that entire dataset and store it in memory and then operate on a larger set of data.
Distributable: streaming order of events don’t matter (e.g., ‘rex’ command which is Splunk’s regex command).
Centralized: order of events matter, that is, it transforms events in order.
Transforming: orders results into a dataset by transforming each event, statistical.
Generating: fetches event from indexes without any transformation, that is, it fetches data from the indexes and starts the search data stream, may be event or report generating.
2.4 Structure of a Search
The structure of a search is illustrated below in Figure 2.
Figure 2. Structure of a search |
The first command must be a ‘generating’ command. The commands in this primer are: ‘search’, ‘tstats’, and ‘makeresults’.
The results of one command are passed to another command with a '|' (pipe) symbol. This is streaming output of one command to the next. There can be (0…N) data processing commands.
The last segment is a method to “display” results visually or in a table.
3. Search Screen Overview
The following is a discussion of search results screen.
Figure 3. |
To be continued …