Lesson 200.

2 Basic Searching
Learning Objectives
At the end of this lesson, learners will be able to:
● Describe adding data to Splunk.
● Run basic searches.
● Set the time range of a search.
● Identify the contents of search results.
● Refine searches.
● Use the timeline.
● Use time modifiers.
● Control a search job.
● Save search results.
Introduction
This lesson will introduce you to basic search concepts with Splunk. After a
brief introduction on how data enters Splunk, we will focus on
understanding and using the search interface, working with the time
picker, identifying the contents of the search results, and using various
tools to refine and control Splunk searches.

We strongly recommend following along using your own Splunk instance

or a connection to an existing one.

Happy Splunking!
2.0 Adding Data to Splunk
Splunk supports a wide range of data types, including
logs, metrics, and events, and can handle both
structured and unstructured data.

The responsibility of adding data to Splunk typically

falls on the IT or DevOps teams within an
organization who have permission to upload data to
Splunk. They are responsible for configuring the data
inputs, such as forwarders, log files, network
devices, or databases for automatically sending
data to Splunk for indexing and analysis.

Splunk end-users do not usually add data to Splunk,

although exceptions may happen.

image: Freepik.com
2.0 Adding Data to Splunk (continued)
Adding data to Splunk involves sending the data to be indexed by Splunk.
There are several methods available for adding data to Splunk, including using the Splunk
Web interface, the Splunk command-line interface, or by configuring data inputs to
automatically collect data from various sources.

image: Screenshot of Splunk

Web interface launcher
window with the Add Data
button highlighted.
2.0 Adding Data to Splunk (continued)
image: Screenshot of Splunk Web
interface add data window displaying
the various options to add data to
splunk.
2.0 Adding Data to Splunk - Indexing
In Splunk, an index is a repository that stores the machine-generated data that is ingested
by Splunk.
When data is added to Splunk, it is first indexed. This involves breaking it into individual
events, parsing out relevant fields, and assigning time stamps and other metadata.
The indexed data is then stored in the appropriate index, where it can be easily searched,
analyzed, and visualized.
Splunk provides several default indexes, such as main, _internal, and _audit, but users can
also create their own custom indexes to organize data in a way that makes sense for their
particular use case.
Indexes can be configured with specific retention policies, such as how long data should
be stored before being rolled over or deleted, and how often data should be summarized or
aggregated to improve search performance.
2.0 Adding Data to Splunk - sourcetype
In Splunk, sourcetype is a metadata field that identifies the data source and format of
an event.
It is a key piece of information that is used by Splunk to parse and extract fields from the
raw data and apply appropriate data models, tags, and other settings to it.
When data is ingested into Splunk, it is assigned a sourcetype based on its source and
format, such as access_combined for Apache logs, syslog for system logs, or JSON for
structured data.
Splunk provides a large number of preconfigured sourcetypes for common data sources,
but users can also create their own custom sourcetypes if needed.
Sourcetypes play a crucial role in enabling users to search, analyze, and visualize their
data effectively in Splunk.
By accurately identifying and tagging the data source and format, users can quickly
find and extract meaningful insights from their data.
2.0 Adding Data to Splunk - tour
image: Screenshot of a Splunk example
of adding data
2.0 Adding Data to Splunk - tour (continued)
image: Screenshot of a Splunk example
of adding data
2.0 Adding data to Splunk - tour (continued)
image: Screenshot of a Splunk example
of adding data
2.0 Adding data to Splunk - tour (continued)
image: Screenshot of a Splunk example
of adding data
2.0 Adding data to Splunk - tour (continued)
image: Screenshot of a Splunk example
of adding data
2.0 Adding data to Splunk - tour (continued)
image: Screenshot of a Splunk example
of adding data
2.0 Adding data to Splunk - tour (continued)
image: Screenshot of a Splunk example
of adding data
2.0 Adding Data to Splunk - tour (continued)
image: Screenshot of a Splunk example
of adding data
2.0 Adding Data to Splunk - Summary
Adding data to Splunk involves directing the data to an index, which is a storage location
for the data.
The index is identified by a unique name and is used to quickly locate the data when it is
searched.
When data is added to an index, it needs to be identified by a sourcetype, which specifies
the format of the data and the type of processing that is required.
The sourcetype helps Splunk to correctly parse the data and apply field extractions to it,
making it easier to search and analyze.
By properly indexing and identifying the sourcetype of the data, Splunk can help to provide
valuable insights and intelligence from the data.
2.1 Run Basic Searches
Searching in Splunk involves using the search bar in the Splunk web interface to query
the indexed data.
The search language used in Splunk is based on SPL (Splunk Processing Language).
Users can search for specific keywords, phrases, or patterns within the indexed data,
and filter results based on various criteria such as time range, index, sourcetype, and
more.
The search results are presented in a tabular format, and users can also create
visualizations such as charts and graphs to better analyze the data.
Splunk's search functionality includes a range of operators and functions that allow
users to manipulate and analyze the data, and the search results can also be saved as
reports or alerts for future reference.
2.1 Run Basic Searches (continued)
Access the Search & Reporting app by selecting the app from the App bar.

image: Screenshot Splunk

launcher page with highlighted
Search & Reporting app link.
2.1 Run Basic Searches (continued)
Instructor Demo- Interface Layout:
Number Element Description

1 Apps bar Switch between different

views in the Search &
Reporting app, including
Search, Analytics,
Datasets, Reports, Alerts,
and Dashboards

2 Search bar Enter search queries.

3 Time range picker Set the time period for the

search.

4 Search mode menu Choose between Smart

(default), Fast, and
Verbose.

5 How to Search Documents and tutorials to

help searching.
image: screenshot, splunk Search & Reporting app

6 Table Views GUI to search and analyze

data.
2.1 Run Basic Searches - key-value pairs
In Splunk, key-value pairs are used to represent the structured data in the events being
indexed.
Each key-value pair is separated by an equal sign (=), and each pair is separated by a
space or a comma.
For example, in a log event, the key could be "source" and the value could be
"/var/log/syslog," which would be represented as "source=/var/log/syslog" in
Splunk.
The key is case-sensitive when it comes to key-value pairs, which means that if a key is
defined with a specific capitalization, it must be matched exactly in the data for Splunk
to extract the associated value.
As such, source=/var/log/syslog and Source=/var/log/syslog would be treated as two
separate keys and return different search results.
2.1 Run Basic Searches - key-value pairs
The value is not case-sensitive.
Therefore, source=/var/log/syslog and
source=/VaR/lOg/sYslog would be
treated as the same value and return
similar search results.
Note that you can also search for values
that are not part of a key-pair.
Searching for specific key-value pairs
in the search bar, is more efficient, and
users can quickly filter and find relevant
events.
image: screenshot, splunk Search & Reporting app
2.1 Run Basic Searches - key-value pairs
Certification Question example:
What syntax is used to link key/value
pairs in search strings?
A. action+purchase
B. action=purchase
C. action | purchase
D. action equal purchase

image: screenshot, splunk Search & Reporting app

2.1 Run Basic Searches - wildcards
● In Splunk the asterisk (*) character is the wildcard used to match an unlimited
number of characters in a string.
● Use wildcards to match a range of field values.

image: screenshot, splunk Search & Reporting app

2.1 Run Basic Searches - search operators
Splunk search operators, such as AND, OR, and NOT, can be used to combine key-value
pairs in search queries to refine the search results.
The AND operator is used to search for results that match both conditions or key-value
pairs.
For example, if we want to search for events that contain both "error" and "webserver,"
we can use the AND operator as follows:

image: screenshot, splunk Search & Reporting app

2.1 Run Basic Searches - search operators (continued)

The OR operator is used to search for results that match at least one of the conditions or
key-value pairs.
For example, if we want to search for events that contain either "error" or "warning," we
can use the OR operator as follows:

image: screenshot, splunk Search & Reporting app

2.1 Run Basic Searches - search operators (continued)

The NOT operator is used to exclude results that match a certain condition or key-value
pair.
For example, if we want to search for events that contain "error" but not "database," we
can use the NOT operator as follows:

image: screenshot, splunk Search & Reporting app

2.1 Run Basic Searches - search operators (continued)
Certification Question example:
If no operator is mentioned
Which search matches the events containing
between the search items,
the terms "error" and "webserver"?
Splunk will operate by default as
A. index=security Error Webserver
if there was an AND operator
B. index=security error OR webserver
present.
C. index=security “error web server”
D. index=security NOT error NOT
webserver

image: screenshot, splunk Search & Reporting app

2.1 Run Basic Searches - the Search Assistant
● The Search Assistant in Splunk is a feature that provides suggestions for search
terms and syntax as you type in the search bar.

● It uses machine learning algorithms to analyze the data in real time and suggests
potential search terms, field names, and command options.

● It is a useful tool for beginners who may not be familiar with the search language or
for more experienced users who want to speed up their searches and discover new
fields and commands.

image: screenshot, splunk Search & Reporting app

2.1 Run Basic Searches - Search History
● Search history in Splunk is a feature that
allows users to view and access their
previously executed searches.

● Each time a user performs a search in

Splunk, the search query is added to
their search history. This can be useful
for quickly referencing and
re-executing previous searches, as well
as tracking the progress of a long-running
search.
image: screenshot, splunk Search & Reporting app
● The search history is accessed by clicking
on the Search history button located
under the Search Bar
2.1 Run Basic Searches - How to Search
● The How to Search section on the Search
& Reporting app provides additional
resources such as Documentation and a
Tutorial To help users.

● With the Data Summary feature, you can

determine data sources, source types,
and the hosts that generated the data.

● This is the most comprehensive way of

learning what data is present in a
Splunk deployment.

image: screenshot, splunk Search & Reporting app

2.1 Run Basic Searches - Summary
● In Splunk, key-value pairs are used to represent the structured data in the events
being indexed.
● The key is case sensitive; the value is not.
● Splunk search operators, such as AND, OR, and NOT, can be used to combine
key-value pairs in search queries to refine the search results.
● In Splunk the asterisk (*) character is the wildcard used to match an unlimited
number of characters in a string.
● When using wildcards, ensure to follow the wildcard usage best practices.
● Quotation marks are required when the field values include spaces.
● Splunk provides search helping tools such as the Search Assistant and Search
History.
2.2 Set the Time Range of a Search
Specifying time ranges:

● Restricting, or filtering your search criteria using a time range is the easiest and most
effective way to optimize your searches.

● You can use time ranges to troubleshoot an issue if you know the approximate time
frame when the issue occurred. Narrow the time range of your search to that timeframe.

○ For example, to investigate an incident that occurred sometime in the last hour, you can
use the default time range: “Last 24 hours,” but a better option is Last 60 minutes.

● Use the Time Range Picker to set a time range for a search.

image: screenshot, splunk Search & Reporting app

2.2 Set the Time Range of a Search (continue)
The Time Range Picker

● Clicking the Time Range Picker will open

a drop-down menu containing the
following sections:

○ Presets
○ Relative
○ Real Time
○ Date Range
○ Date and Time Range
○ Advanced

image: screenshot, splunk Search & Reporting app

2.2 Set the Time Range of a Search (continued)
Instructor Demo - Time Range Picker:
Use a live Splunk environment to introduce
and experience the various options and
sections of the Time Range Picker.

Certification Question example:

Which user interface component allows
for time selection?
A. Time summary image: screenshot, splunk Search & Reporting app
B. Time range picker Note:
C. Search time picker
You can also specify time modifiers by typing
D. Data source time statistics
them into your search string.
We will dedicate a separate section for this.
2.2 Set the Time Range of a Search - Summary
● You can use the Time Range Picker interface to set the time range for a
Splunk search.

● The interface provides many different tools for selecting the time range
such as Presets, Relative, Real-time, Date Range, and more.

● Restricting, or filtering, your search criteria using a time range is the

easiest and most effective way to optimize your searches.
2.3 Identify the Contents of Search Results
Understanding Search Results:
Below the Search bar are four tabs: Events, Patterns, Statistics, and
Visualization.
The type of search commands that you use determines which tab the search
results appear on.
The Events tab displays the Timeline of events, the Display options, the Fields
sidebar, and the Events viewer.

image: screenshot, splunk Search & Reporting app

2.3 Identify the Contents of Search Results (continued)

Understanding search results - Events

● By default, the events appear
as a list that is ordered
starting with the most recent
event (reverse chronological
order).

● An event refers to a single

line of data that contains
timestamped data along
with any other relevant
information.

● In each event, the matching

search terms are
image: screenshot, splunk Search & Reporting app highlighted.
2.3 Identify the Contents of Search Results (continued)

Understanding Search Results - the Events list:

● The List display option shows the event information in three columns.

image: https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchTutorial/Startsearching

● Other Events Viewer display options are Raw, and Table.

2.3 Identify the Contents of Search Results (continued)
Understanding Search Results - Timeline of events

● The Timeline of events is a visual representation of the number of events that occur at
each point in time.

● As the timeline updates with your search results, there are clusters or patterns of bars.
The height of each bar indicates the count of events.

● Peaks or valleys in the timeline can indicate spikes in activity or server downtime. The
timeline highlights patterns of events, or peaks and lows in event activity.

● The timeline options are located above the timeline. You can zoom in, zoom out, and
change the scale of the timeline chart.
Source: https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchTutorial/Startsearching

image: screenshot, splunk Search & Reporting app

2.3 Identify the Contents of Search Results (continued)
Understanding Search Results - Fields sidebar

● As part of the index process, information is extracted from

your data and formatted as name and value pairs, called
fields.

● When you run a search, the fields are identified and listed in
the Fields sidebar next to your search results. The fields are
divided into two categories.

○ Selected fields are visible in your search results. By

default, host, source, and what is the percentage
appear. You can select other fields to show in your events.

○ Interesting fields are other fields that have been

extracted from the events in your search results.

● You can hide the fields sidebar to maximize the results area.
Source: https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchTutorial/Startsearching
image: screenshot, splunk Search & Reporting app
2.3 Identify the Contents of Search Results
Understanding Search Results - Patterns, Statistics, and Visualizations (continued)

● The Patterns tab displays a list of the most common patterns among the set of
events returned by your search. Each of these patterns represents events that share a
similar structure.

● The Statistics tab populates when you run a search with transforming commands
such as stats, top, chart, and so on.

● Searches with transforming commands also populate the Visualization tab. The
results area of the Visualizations tab includes a chart and the statistics table that is
used to generate the chart. You will learn about transforming commands, and use the
Statistics and Visualizations tabs later.
Source: https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchTutorial/Startsearching

image: screenshot, splunk Search & Reporting app

2.3 Identify the Contents of Search Results - Summary
This section covered various options that users can utilize in the Search &
Reporting app, and provided an overview of the fundamental concepts of
search results.

The Timeline of events, the Fields sidebar, and the Events viewer are
important components that aid in searching and analyzing data in Splunk.

To prepare for the certification exam, it is crucial to be proficient and

well-versed in using these features.
2.4 Refine Searches
The amount of time it takes to complete a search
in Splunk can vary depending on several factors,
such as the complexity of the search query, the
amount of data being searched, and the resources
available on the machine running Splunk.
Searches can take just a few seconds for small
image: Freepik.com
amounts of data, or several minutes or even hours
for very large datasets.
We refine searches in Splunk to narrow down the
results and focus on specific information that we
are interested in.
2.4 Refine Searches (continued)
By adding more search terms, and using filters and refining search
syntax, we can reduce the number of events in the search results and
make it easier to find the relevant information.
Refining searches can also help to eliminate false positives or
irrelevant data from the results, making the analysis process more
efficient and accurate.
Some basic ways to refine a search are to drill-down into the search
results, use different search modes, and utilize comparison
operators.
2.4 Refine Searches (continued)
Refining Searches - Drill-down the search results

Once the event viewer is

populated with events, drilling
down into an event can help
narrow the search.
Using the i column, expand a
single event.
Clicking on the timestamp
allows easy access to searching
nearby events.

image: screenshot, splunk Search & Reporting app

2.4 Refine Searches (continued)
Refining Searches - Drill-down the search results

Clicking on a key (field name),

of a key-pair provides quick
access to refining the search by
generating statistical reports,
or searching for events that
contain the same field.
It will also provide instant data
regarding unique values
contained in this field.

image: screenshot, splunk Search & Reporting app

2.4 Refine Searches (continued)
Refining Searches - Drill-down the search results

Clicking on a value of a field

provides quick access to
refining the search by adding or
removing the value to or from
the search.
It will display the number of
events for each option.
It also allows for executing a
new search based on that
value.

image: screenshot, splunk Search & Reporting app

2.4 Refine Searches (continued)
Refining Searches - Search modes
In Splunk, there are three search modes:

1. Fast Mode: This mode is designed to return search results as

quickly as possible, sacrificing some accuracy and completeness
for speed.

2. Smart Mode: This mode automatically switches between

Fast and Verbose modes depending on the size and complexity
of the search. It attempts to provide the best balance between image: screenshot, splunk Search & Reporting app

speed and accuracy, and is the default search mode in Splunk.

3. Verbose Mode: This mode is designed to provide the most

accurate and complete search results, even if it takes longer
to execute. It performs a detailed analysis of all of the events in
the data, and can be useful for debugging and troubleshooting
purposes.
2.4 Refine Searches - Summary
Refining searches in Splunk can help to narrow down the search results and
find relevant information.

This can be done by adding more search terms, using filters, and refining search
syntax.

Different search modes in Splunk affect the way results are returned.

Refining searches can also help to eliminate irrelevant data or false positives,
leading to more efficient and accurate analysis.

Basic ways to refine a search include drill-down into the search results, using
different search modes, and comparison operators.
2.5 Use the Timeline
Use the timeline to investigate events-
The timeline is a visual representation of the number of events in your search
results that occur at each point in time.
The timeline shows the distribution of events over time.

When you use the timeline to investigate events, you are not running a new search; you
are filtering the existing search results.

You can use the timeline to highlight patterns or clusters of events or investigate
peaks (spikes in activity) and lows (possible server downtime) in event activity.
Position your mouse over a bar to see the count of events. Click on a bar to drill down
to that time range.
2.5 Use the Timeline
Change the timeline format-
The timeline is a visual representation of the number of events in your search
results that occur at each point in time.
The timeline shows the distribution of events over time.

image: screenshot, splunk Search & Reporting app

2.5 Use the Timeline (continued)
Change the timeline format-
Format options are located in the Format Timeline
menu:
You can hide the timeline or display a Compact or Full
view of the timeline.
You can also toggle the timeline scale between Linear
scale or Log scale (logarithmic).
When Full is selected, the timeline view is taller to
accommodate the labels on the axis. The count is on the
image: screenshot, splunk Search & Reporting app
Y-axis and time is on the X-axis.
source: https://docs.splunk.com/Documentation/Splunk/9.0.4/Search/Usethetimeline
2.5 Use the Timeline (continued)
Zoom in and zoom out to investigate events.
Above the timeline are the zoom options.
By default, the timeline is zoomed in. When in Full view and zoomed in, the Zoom Out
option is available.

When you use the Zoom In/Out to Selection buttons, Splunk will run a new search with a new time
frame.

image: screenshot, splunk Search & Reporting app

2.5 Use the Timeline (continued)
Zoom to a selection-
When you mouse over, and select bars in the timeline, the Zoom to Selection or Deselect
options above the timeline become available. Additionally, the events list updates to display
only the events that occurred in that selected time range.
You can cancel this selection by clicking Deselect.

image: screenshot, splunk Search & Reporting app

2.5 Use the Timeline - Summary
In Splunk, the timeline is a visual representation of the events that match a
particular search.

It shows the distribution of events over a period of time and allows the user
to easily identify patterns and trends.

The timeline can be used to refine searches by zooming in on specific time

periods and identifying events that occurred within that time frame.

Selecting a time range on the timeline will filter the events on the search
results without running a new search. Zooming in or zooming to a selection
will run a new search.

It is a powerful tool for analyzing and visualizing time-based data in Splunk.

Use Time Modifiers in Your Search
Time modifiers-

When searching or saving a search, you can specify absolute and relative time ranges using
time modifiers.

● An absolute time range uses specific dates and times (e.g., from 12 A.M. April 1, 2023 to
12 A.M. April 13, 2023).

● A relative time range is dependent on when the search is run. For example, a relative
time range of -60m means 60 minutes ago. If the current time is 3 P.M., the search
returns events from the last 60 minutes, or 2 P.M. to 3 P.M. today.

● The current time is referred to as "now."

earliest=<time_modifier>
● Set the start of the time range using the earliest= command.
latest=<time_modifier>
● Set the end of the time range using the latest= command.
Use Time Modifiers in Your Search (continued)
Time modifiers and the Time Range Picker-

● A time range that you specify in the Search bar, or in a saved search, overrides the time
range that is selected in the Time Range Picker.

● If you specify a time range of Last 24 hours in the Time Range Picker and in the Search
bar you specify earliest=-30m latest=now, the search only looks at events that have a
timestamp within the last 30 minutes.

● This applies to any of the options you can select in the Time Range Picker.

● Time ranges that you specify directly in the Search bar apply only to that portion of the
search.

○ The time ranges specified in the main search do not apply to subsearches.

○ Time time ranges specified in a subsearch applies only to that subsearch. The time
range does not apply to the main search or any other subsearch.

○ source: https://docs.splunk.com/Documentation/Splunk/9.0.4/Search/Specifytimemodifiersinyoursearch
Use Time Modifiers in Your Search (continued)
Specify absolute time ranges-
● For exact time ranges, the syntax for the time modifiers is %m/%d/%Y:%H:%M:%S.
● The following search specifies a time range from 12 A.M. April 19, 2023 to 12 A.M. April 27,
2023.
○ earliest=04/19/2023:00:00:00 latest=04/27/2023:00:00:00
● If you specify only the earliest time modifier, the latest is set to the current time now by
default.
● If you specify a latest time modifier, you must also specify an earliest time.

image: screenshot,
splunk Search &
Reporting app

source: https://docs.splunk.com/Documentation/Splunk/9.0.4/Search/Specifytimemodifiersinyoursearch
Use Time Modifiers in Your Search (continued)
Specify relative time ranges-

● You define the relative time in your search by

using a string of characters that indicate the
amount of time.

● The syntax is an integer and a time unit:

○ Begin your string with a minus ( - ) or a

plus ( + ) to indicate the offset before
or after the time amount.

○ Specify the amount of time by using a

number and a time unit.

○ When specifying relative time, use now to

refer to the current time.

source: https://docs.splunk.com/Documentation/Splunk/9.0.4/Search/Specifytimemodifiersinyoursearch
Use Time Modifiers in Your Search (continued)
Relative time modifiers that snap to a time-
● With relative time, you can specify a snap to time, which is an offset from the relative
time.
● The snap to time unit rounds down to the nearest or latest time for the time amount
that you specify.
● To do this, separate the time amount from the snap to time unit with an "@" character.
○ For example, the current time is 15:45:00 and the snap to time is earliest=-h@h.
The time modifier snaps to 14:00.
● You can also define the relative time modifier using only the snap to time unit. To snap to
a specific day of the week, use @w0 (or @w7) for Sunday, @w1 for Monday, and so
forth.
● To search for events in the previous month, specify earliest=-mon@mon latest=@mon.
This example begins at the start of the previous month and ends at the start of the
current month.

source: https://docs.splunk.com/Documentation/Splunk/9.0.4/Search/Specifytimemodifiersinyoursearch
Use Time Modifiers in Your Search - Summary
An absolute time range refers to a specific range of time that is defined by a start time and an
end time, in a specific date and time format:

● earliest=04/19/2023:00:00:00 latest=04/27/2023:00:00:00

A relative time range, is a range of time that is defined in relation to the current time or to a
specific time point. This type of range is usually defined using time units such as minutes,
hours, days, or weeks, and can be expressed as a positive or negative value.

Snap to time is an offset from the relative time and rounds down to the nearest or latest
time for the time amount that you specify using the "@" character.

image: screenshot, splunk Search & Reporting app

2.7 Control a Search Job
About jobs and job management-

Each time you run a search, create a pivot, open a report, or

load a dashboard panel, the Splunk software creates a job in
the system.
When you run a search, you are creating an ad hoc search.
Pivots, reports, and panels are powered by saved searches.
A job is a process that tracks information about the ad hoc
search or saved search.
The information that is tracked includes the owner of the job,
the app that the job was run on, how many events were
returned, and how long the job took to run. image: Freepik.com
2.7 Control a Search Job (continued)
Inspecting jobs and managing jobs-

There are several ways that you can look

at information about your jobs.
You can inspect a job or you can
manage a job.
Search Job Inspector
● Use the Search Job Inspector to
view information about the
current job, such as job execution
costs and job properties.

image: screenshot, splunk Search & Reporting app

2.7 Control a Search Job (continued)
Inspecting jobs and managing jobs-

Job Details dashboard

● The Job Details dashboard
provides a clear and concise
overview of a search job process.
● You can access the Job Details
dashboard through the Search Job
Inspector.

image: screenshot, splunk Search & Reporting app

2.7 Control a Search Job (continued)
Inspecting jobs and managing jobs-

Jobs manager page

● Use the Jobs manager page to
view information about recent jobs.
● If you have the Admin role or a role
with an equivalent set of
capabilities, you can manage the
search jobs run by other users.

image: screenshot, splunk Search & Reporting app

2.7 Control a Search Job (continued)
Job menu-
● After you run a search or open a report in Splunk Web, you can access and manage
information about the search job without leaving the Search page.

● On the Job menu, the following options are available:

image: screenshot, splunk Search & Report app
○ Edit the job settings. Select this to open the Job Settings dialog, where you can
change the job read permissions, extend the job lifetime, and get a URL for the job.
○ Send the job to the background. Select this if the search job is slow to complete and
you want to work on other Splunk activities, including running a new search job. The job
continues to run in the background.
○ Inspect the job. Opens a separate window and displays information and metrics for
the search job using the Search Job Inspector.
○ Delete the job. Use this to delete a job that is currently running, is paused, or which
has finalized. After you delete the job, you can still save the search as a report.
2.7 Control a Search Job (continued)
Edit search job settings
● You can open the Job Settings dialog when a search job is
running, paused, or finalized. Just click Job and select Edit
Job Settings.
Sharing jobs
● There are several ways to share a job with other Splunk
users. You can change the job permissions or send a link to
the job.
Job lifetimes
● When you run a new search, a job is retained in the system image: screenshot, splunk Search & Reporting app

for a period of time, called the job lifetime.

The default lifetime is 10 minutes. The lifetime starts from the moment the job is run.

source: https://docs.splunk.com/Documentation/Splunk/9.0.4/Search/Aboutjobsandjobmanagement
2.7 Control a Search Job - Summary
A search job is the process of executing a search request and retrieving the
results.

When you initiate a search in Splunk, it creates a search job that runs in the
background to fetch and process the data, while this is happening, you can stop
or pause the process.

The Search Job Inspector, Job Details dashboard, Jobs manager page,
and the Job menu allow you to inspect and manage search jobs.

The Edit search job settings, option allows you to share the job, edit the job’s
permissions, and change the job’s lifetime.

The default lifetime of a job is 10 minutes. Using the job settings menu you
can extend the job’s lifetime to 7 days.
2.8 Save Search Results
In Splunk, users have the option to save
search results for later use or to share
with others.
Saving search results allows users to
easily access relevant data without
having to re-run the search.
A user can also export the search results
in several different formats.

image: Freepik.com
2.8 Save Search Results (continued)
Saving the search results.
There are several ways to save search
results in Splunk.
Using the Save As drop-down menu, any
search can be saved as a Report or an
Alert.
Search results (especially searches that
include statistical analysis) can, via this
menu, serve as data drivers for new or
existing Dashboards.
We will cover Reports, Alerts, and
Dashboards in more detail later in this
course.

image: https://docs.splunk.com/Documentation/Splunk/9.0.4/Search/Savingsearches
2.8 Save Search Results (continued)
Export the search results.
To export the search results to a file, use the Export button next to the Job toolbar.

When exporting, the following

file formats are available:
● Raw Events
● CSV
● XML
● JSON

image: screenshot, splunk Search & Report app

2.8 Save Search Results - Summary
Saving a search, be it a report, alert or dashboard, is a way to preserve and
share a predefined view of data that has been extracted and analyzed from a
search query.

You can also export search results to a file in any of the following formats:

● Raw events
● CSV
● XML
● JSON
Knowledge check.
● What syntax is used to link key/value pairs in search strings?
● What does the “earliest=-72h@h latest=@d” time range do?
● What is the function of the timeline located under the search bar?
● What can be configured using the Edit Job Settings menu?
● What user interface component allows for time selection?
● By default, how long does Splunk retain a search job?
● Which Boolean operator is implied between search terms, unless otherwise specified?
● What is character is used as a wildcard in Splunk?
● What the easiest and most effective way to optimize your searches?
● What is an event?
● What are the three search modes in Splunk?