Dive deeper into the search interface by going beyond a basic keyword search with event sampling and time windows.
- [Instructor] We've already covered a simple keyword search. But let's look at some of the other basic search features in Splunk. First, let's take a look at the time-based restrictions. We'll open up the search app here and go over to where it says last 24 hours. And open up that dropdown. You'll see there's a lot of presets available here, even as small as a 30-second window. You can choose some other time windows that are relative to the present such as showing results just from yesterday.
If you click through the other tabs, you'll see that there are even more options here. There's even an advanced tab where you can use some special syntax to specify your time. We'll look at that syntax a little later on, but for now, let's look at some of the other basic search settings. I'll go back here and go to presets and then set it back to last 24 hours. If you click over to the smart mode dropdown here, right underneath the time, you'll see that there a few other options, fast mode and verbose mode.
Below the search field, you'll see this dropdown that says no event sampling. Event sampling is a way of reducing the volume of events that you need to look through. Splunk will just show you a random subset of the event results. So let's try out the sampling feature. I'll just say one in 10. Then I'll type the word boot again, just so we have the same results and I'll hit enter. Now you can see we've got two events here instead of 22.
If I click the magnifying glass again, I get two different events. That's because the sampling feature just randomly selects a couple of events. In this case, it's one out of 10. It's not exact so sometimes you might get three, sometimes you might get one. Before we move on, let's try switching over to fast mode, just to see what that does. Now you might notice a little bit of a speed improvement but we have so few results in our index that it probably won't make much difference.
- Installing Splunk
- Filtering search data
- Advanced search syntax
- Creating reports and dashboards
- Creating alerts and actions
- Configuring remote data and multiple data streams