Splunk is great for searching data. Using search commands, you can filter your results using key phrases just the way you would with a Google search. Here are some examples for you to try out:
SPL> index=main /booking/confirmation
The preceding filters search results from the index main, and only returns those events with the stringĀ /booking/confirmation in the _raw data.
You may also add further filters by adding another phrase. It is very important to note, however, that, by default, Splunk will assume that your phrases are logically chained based on an AND operator, for example:
SPL> index=main /booking 200
The preceding line of code is equivalent to the following:
SPL> index=main /booking AND 200
Similarly, you can use the OR operator to find data based on multiple filters. The following command will return all events with /booking or /destinations in the text. It is important to remember that an OR operator will always give you at least as many (or more) events than an AND operator, and AND is the default operator:
SPL> index=main /booking OR /destinations
Like any mathematical operation, you may also use parentheses to group conditions:
SPL> index=main (/booking OR /destinations) AND 200
If you have a phrase containing a white space, enclose it with quotation marks, as seen in the following example:
SPL> index=main "iPhone OS"
You may also filter search results using fields. Fields are case-sensitive and a search using a specified field is generally considered faster than a full text search because the filtering is occurring on a known field rather than searching through the entire event to find the value. Filtering using fields will only work if there is a defined field. In Chapter 2, Bringing in Data, you extracted new fields from the eventgen data source. Let's use that now to filter search results using custom fields:
SPL> index=main http_uri=/booking/confirmation AND http_status_code=200