Splunk Search Interface
Splunk has its own Query language called Search Processing Language (SPL)
Search Interface has a Search bar where we can write our queries and results were displayed below.
The Splunk user interface provides 3 search modes.
Fast- prioritizes speed over completeness, disable field discovery.
Smart — Default, balances speed and completeness.
Verbose — prioritizes completeness over speed, return all extracted fields.
In Fast Mode, the search only returns the default fields (host, source, sourcetype, _time) unless a specific field is searched upon.
If you know which fields your search needs and you want it to run as quickly as possible, fast mode will work for you.
Smart Mode is the default search mode in Splunk, and for most Splunk users it will be the only search mode they need.
Verbose mode is the slowest of the 3 Splunk search modes as it discovers and extracts all of the available fields even if a transforming search is run.
Splunk search will be active for 10 minutes, and shared search will be active for 7 days and everyone can be able to view same data.
The events tab will display the events returned for your search and the fields that were extracted from the events. Events are in Reversed chronological order, showing the newest events first.
The patterns tab allows you to see patterns in your data to better understand what is happening in your data.
The statistics tab will help you view stats for the search.
The visualization tab will have links for instant pivot, quick reports, and search command documentation.
The green bars in the above image show the Timeline, Timeline is a Visual representation of events segmented over time. You are able to pick a specific time in the timeline to investigate by updating our event list. You can also use the zoom link to zoom in and out of a selection.
Event sampling:
Event sampling uses a sample ratio value that reduces the number of results.
By default, a Splunk search retrieves all events. However, in some situations you might want to retrieve a sample set of events, instead of retrieving the entire event set.
For example, if the sample ratio value is 100, each event has a 1 in 100 chance of being included in the result set.
If a search matches 1,000,000 events when sampling is not used, using a sample ratio value of 100 would result in returning approximately 10,000 events.
If a typical search result returns 1,000 events, a 1:10 event sampling ratio will return 100 events.
Inspect Job:
We can verify how long the search took to return a specific number of search results and if needed can go on to check each and every step of the optimization along with the cost associated with it.
On clicking Inspect Job we can see the details. in pop window as below.
Other Articles on Splunk:
Splunk Intro, Data Ingestion
Install Splunk and Upload Data to Splunk
Hope you find this Article interesting for short bits around the technology follow me on LinkedIn at www.linkedin.com/in/anveshsalla
