In the previous post we have talked on Splunk – the powerful tool for searching and exploring the unstructured data. We have also discussed how we can get Splunk up and running in our PC in no time. Today, let’s explore Splunk’s powerful search capability with few examples.
The first step is to add some data. Loading files into Splunk is easy enough:
- Click Add Data from the Welcome screen. (See the Add Data panel in the right hand side in the following diagram)
- To add a file, click From files and directories on the lower half of the screen that will pop up.
- Click the radio button next to Upload and Index a file.
- Then click Save.
That’s it. You have added your file into Splunk. For more details and to get the sample files go here.
Note that I’ve used the sample files available in the Splunk website to show the examples in this blog – you can use the same to explore the features or get your own.
What Splunk does when you add data?
In Splunk’s terminology, the data we add is called raw data. After getting the raw data, Splunk first indexes them. The indexing is done on at least four default fields – source, source type (what kind of data), host and timestamp. After indexing, Splunk divides the data into individual events and orders it based on timestamp. The events are arranged, searched and returned as result set to the users.
Before we submit our first command there are two important panels to look at:
- The search bar at the top. We will put our search commands here.
- The time range picker to the right of the search bar. This permits us to adjust the time range. You can see events from all time, last 15 minutes, or last 1 day and so on. For real-time streaming data, you can select an interval to view.
Okay, now let’s enter a search text in the search bar and then click the search option. I’ve used a simple search criteria where I like see all files with the text : “error”.
Note that the page switches to the search dashboard showing a screen with results and many useful details as shown below.
Now, let’s make the search little more restricted as I want to see all “errors” only for the host “ww1”. We can use the following command that adds a AND condition.
error AND host=www1
So far so good. Now let’s make it more interesting. Try this:
error AND host=”www1″ | top uri
Here the command summarizes the events by returning the most frequently occurring URIs from the host “ww1” having the text “error” in it. See the summarized result showing the count and the percentage as well for the top URIs.
Now if you click on the Visualization tab under the search bar, you will see the graphical representation of the summarized result.
Few important things to note:
- Spunk commands are not case-sensitive but field names are.
- We need quotation mark around phrases or field values containing white spaces, commas, pipes and any other breaking characters.
- Use pipe to pass results of one operation as an input to the next one.
That’s it for today. Explore the powerful search commands and visualize your data. Happy Splunking!
References / Further Read