Welcome to Splunk's Getting Started app!

Splunk is the IT Search engine. It lets you index, search, alert and report on any IT data, in real time, for application management, IT operations, security and compliance, and more. Splunk consumes any data, from log files, system metrics, applications, configurations and more.

Click on a topic below to get started.

Getting around

Splunk's UI is packed with features. Read through the following topics to get a better sense of how to navigate and manage your Splunk installation.

Where am I right now?

Splunk 4.0 is made up of apps. Apps create different contexts for your data out of sets of views, dashboards, and configurations. Right now, you're in the Getting Started app, but there are lots of other apps available to you. For example, Splunk ships with an app that is specifically designed to work with the OS you're running. Your Splunk deployment may also include custom-built or installed apps. By default, Splunk includes the Search app, and all the examples in this app will launch the Search app in a new window (or tab, if you're using Firefox).

Navigate between apps

To navigate to another app, use the App drop-down in the upper right hand corner:

screenshow_uploadLocal

To see a list of apps that are currently installed in your Splunk instance, you can return to Launcher by clicking the App menu in the upper right hand corner of this page and choosing Launcher. This will take you out of the Getting Started app, but you can get back here by choosing Getting Started again from the Launcher or the App menu.

Used Splunk before? Looking for something a little more familiar?

If you've used Splunk before, you're probably looking for the Search app. To get to the Search app, return to the App Launcher by clicking the App menu in the upper right hand corner of this page and choosing Launcher. Then, select the Search app from the list.

Manage your Splunk install

Much of Splunk's management options are now available through Splunk Web (Splunk's user interface). Note that some configurations are only available to Splunk users with admin privileges. If you can't access some of the configurations discussed in this app, you may not have permission to access them.

Use Splunk Manager

Manage your configurations and apps with Splunk Manager. Almost every configuration change can be set through Splunk Manager. Get to Manager by clicking on the Manager link in the upper right hand corner:

screenshow_uploadLocal

Use Job Manager

Manage your searches with Job Manager. All of your searches run as jobs. You can list and control all the searches running on your system by clicking the Jobs link in the upper right hand corner:

screenshow_uploadLocal

Add more apps

To browse for and download more apps for Splunk, return to the App Launcher and click the Browse Apps tab.

You can make your own apps too! Refer to the ${_("Developer Manual")} for information.

Index data

If a machine generates it, Splunk can index it. Yep, that's right -- Splunk can index any IT data (regardless of source or format) without custom parsers, connectors, or adapters. Feed Splunk anything from syslog from Unix servers and network devices, to Event Logs on Windows, to custom application logs and even configurations and system metrics -- you'll finally get real visibility into your your entire operation.

Wondering what IT data is? Read more here.

There are lots of ways to get your data into Splunk.

Upload a local file

If you have a file on your local machine, upload it to Splunk through Splunk Manager.

  1. Click Manager » Data inputs » Files & Directories.
  2. Click New.
  3. Select Upload a local file.
  4. screenshow_uploadLocal
  5. Set more options by following the rest of the directions on the page.

Monitor live files

Configure Splunk to read from files that are currently being written to by any program or device. This is how you'd monitor live application logs such as those coming from J2EE or .Net applications, Web access logs, and so on. Splunk will continue to index the data in this file or directory as it comes in. This file or directory must be reachable from the Splunk host you're using.

  1. Click Manager » Data inputs » Files & Directories.
  2. Click New.
  3. Select Monitor a file or directory.
  4. Type in the full path to the file or directory. For example, on Windows you can enter: c:\apache\apache.error.log to monitor a local file, or \\hostname\apache\apache.error.log to monitor a file on a remote host. On Unix, use the form /var/log to monitor a local file, or /mnt/www01/var/log to monitor a remote directory.
  5. Set more options by following the rest of the directions on the page.

Listen to network ports

Use this method to "raw" data that is being sent over a TCP or UDP port. For example, set up Splunk to listen on UDP 514 to capture syslog data.

  1. Navigate to the Data Inputs page within Splunk Manager.
  2. Click New next to UDP to add data from UDP port.
  3. Click New next to TCP to add data from a port using TCP.
  4. Specify the port Splunk should listen on.
  5. Set more options by following the rest of the directons on the page.

Set up inputs for an app

By default, Spunk ships with an app written specifically for your OS, such as Windows or *nix. These apps let you monitor system performance, event logs, and filesystem and registry changes. Set up inputs for these apps by enabling them. You can also download more apps off SplunkBase to fit your data, such as Blue Coat.

To switch to and enable the Windows or UNIX app:

  1. Click Apps in the upper right hand of Splunk Web.
  2. Select Launcher from the drop-down list. The App Launcher is displayed.
  3. Choose the Windows or *NIX app (if you're on Windows, you'll only see the Windows app; if you're on a UNIX platform, you'll only see the *NIX app) and click Launch App.
  4. If the app hasn't yet been enabled, click the link to enable the app.
  5. Follow the steps to configure the app to suit your system.

More input methods

There are other ways to get your data into Splunk. Here are a few popular options:

Script your own inputs

Create a ${_("scripted input")} for your custom data source. Scripted input are useful for command-line tools such as vmstat, iostat, netstat, top, etc. Get data from APIs and other remote data interfaces and message queues and generate metrics and status data from exercising system and app status commands like vmstat, iostat, etc. Lots of apps on SplunkBase provide scripted inputs for specific applications. Set up scripted inputs from Splunk Manager.

Monitor file system changes

Interested in what changes are happening on your file system? Set up ${_("file system change monitoring")} and see every change as it occurs. Use this method to monitor critical files, configuration files, etc as required for many compliance mandates as well as to find system-impacting changes and unauthorized changes for security and operations.

Centralize data for a distributed environment

Wonder how you'll get data to Splunk from a distributed environment, such as a farm of app or web servers logging locally? Splunk can be configured as a lightweight forwarder and deployed to dozens or even hundreds or thousands of servers to capture data in real time and send to to a central Splunk indexer. Use ${_("Splunk forwarders")} to send data to Splunk from other systems. Set up Forwarding from Splunk Manager.

Search

Once you have data in Splunk, you can use the Search app to investigate security incidents; troubleshoot application, server and network problems; or just proactively review system and user activity.

Free form search

Search for any text that you expect to find in your data.

  1. Navigate to the Search app.
  2. Type terms directly into the search bar. If you are investigating a problem, search for:
  3. screenshow_uploadLocal
  4. Combine terms with Boolean expressions. So, if you want to find errors that are not associated with Web activity, search for:
  5. screenshow_uploadLocal
  6. Use wildcards to match patterns of terms. If you want to find failed login attempts, which could include both "failed" or "failure" in the message, you might search for:
  7. screenshow_uploadLocal

Interact with results

Your search results are just as interactive as the timeline. In this section, you'll see how, with just one click, you can add, remove, and exclude terms from your search.

  1. Navigate to the Search app.
  2. Run a search for any term in your data.
  3. Move your mouse over your search results. Notice that words and phrases highlight as you mouse over them, indicating that you can add these terms to your search.
  4. Highlight and click a term in your search results. Your search updates to include this term in the search bar and filters out all previous results that don't match.
  5. Alternately, click any term in your search results that is already highlighted; Splunk updates and removes that term from your search.
  6. Additionally, you can specify terms for Splunk to exclude. Highlight the term and alt-click (for Windows, ctrl-click); Splunk updates your search to exclude this term with a Boolean NOT operation.

Use fields to search

Free form search is easy and powerful, but it doesn't always give you the answer that you want. For example, you may want to exclude events with the HTTP status code 200. But, if you just search for "NOT 200", you'll also remove events you might want to keep, such as "503" status events coming from IP addresses with 200 in them.

As Splunk indexes every term in your original data, it discovers and adds fields based on name/value pairs, headers, or other information that is otherwise self-explanatory. For example, Splunk automatically adds information about where the data came from into host, source and sourcetype fields. Splunk might also recognize other parts of your data, such as IP addresses, HTTP status codes, etc. You can also add your own fields, as discussed in the Add knowledge section of this app.

  1. Navigate to the Search app.
  2. For example, search for web activity:
  3. screenshow_uploadLocal
  4. Notice the Fields menu next to the search results, on the left hand side. These are fields that Splunk automatically discovers and adds.
  5. screenshow_uploadLocal

    Fields that are visible in your search results are listed under the 'Selected fields' header. You can select more fields to show. Other fields that Splunk discovered automatically are listed under 'Other interesting fields'.

  6. Next to each field name is the number of different values that exist for the field in your search results. Click on any of the field names to see the top values of each field. Click on any of the field values to add it as a filter to your search.
  7. .
  8. If you are searching through web data, you can add the HTTP status to the fields menu by clicking 'Pick fields' and picking 'status' from the pop-up menu that appears.
  9. Notice that the values of the 'status' field are the HTTP status codes: 200, 503, 404, etc. Now, you can use this knowledge to search for or exclude specific field values. A search for all unsuccessful Web access events might be:
  10. screenshow_uploadLocal
  11. You can also use comparison operators ( >, <, >=, <=) when searching with fields; to see all events with status values greater than 300, search for:
  12. screenshow_uploadLocal

Investigate with the timeline

The timeline is a visual representation of the number of events that occur at each point in time. Thus, you can use the timeline to highlight patterns of events or investigate peaks and lows in event activity.

  1. Navigate to the Search app.
  2. Try running a search for 'error' and notice the timeline right below your search.
  3. screenshow_uploadLocal
  4. As the timeline updates with your search results, you might notice clusters or patterns of events; peaks or valleys in the timeline can indicate spikes in activity or server downtime.
  5. Click on a point in the timeline and drag your mouse over a cluster of bars to a second point. Your search results update to display only the events that occurred in that selected time range.
  6. screenshow_uploadLocal
  7. Click on one bar in the timeline. Your search results update to display only the events that occur at that selected point in time.
  8. screenshow_uploadLocal

Use search assistant

Search assistant is a quick in-product reference for users who are constructing searches. It provides details about the search command, including examples of usage, and suggests other commands for you to use.

  1. Navigate to the Search app.
  2. To open Search Assistant, click the green arrow under the search bar.
  3. screenshow_uploadLocal
  4. If the search bar is empty, you'll see a brief description of searching in Splunk and how to construct searches. By default, the assistant displays information for the search command.
  5. The left side of Search Assistant shows a brief description of the search command and examples of of usage.
  6. The right side of Search Assistant shows a history of the commands usage and what commands were most often used next.

Add knowledge

Splunk takes search where it's never been before by automatically extracting knowledge from your IT data and letting you add your own knowledge on-the-fly. Add knowledge about the events, fields, transactions, patterns and statistics in your data. You can identify, name and tag this data as well.

Splunk maps all this knowledge at search time, so you can add new fields and event types anytime you need them, without re-indexing the data. Go from finding all events with a particular username, to instantly getting statistics on specific user activities.

Classify similar events

When you search your data, you're essentially weeding out all unwanted events; the results of your search are events that share common characteristics, and you can give them a collective name or "event type". The names of your event types are added as values into an eventtype field. This means that you can search for these groups of events the same way you search for any field. The following example takes you through the steps to save a search as an eventtype and then searching for that field.

If you run frequent searches to investigate SSH and firewall activities, such sshd logins or firewall denies, you can save these searches as an event type. Also, if you see error messages that are cryptic, you can save it as an event type with a more descriptive name.

  1. Navigate the Search app.
  2. If regularly track SSH activity, such as login attempts, you can save this search as an event type. First, run a search; for example, a search for SSH logins might be:
  3. screenshow_uploadLocal
  4. After you run a search, select the "Save as event type..." option from the search Actions dropdown menu. The Save Event Type window appears.
  5. screenshow_uploadLocal
  6. Follow the directions on the screen to name your event type; you might name this event type "sshlogin". Modify the search string if necessary. Optionally, define tags for your event type; this is discussed in more detail later. When you're finished, click "Save".
  7. You can also save event types for other types of SSH activity, such as logouts and timeouts. Now to search for just SSH logins:
  8. screenshow_uploadLocal
  9. If you saved the other saved event types named sshlogout and sshtimeout, you can quickly search for all SSH events:
  10. screenshow_uploadLocal

Extract new fields

Splunk automatically extracts knowledge for you as you index new data; and you can also add new knowledge anytime you need it -- without re-indexing your data. This sections shows you how to use the the field extractor to interactively extract and save new fields.

  1. Navigate to the Search app.
  2. Run a search for a host, source or sourcetype value. Field extraction for any set of events is linked to the host, source or sourcetype value associated with those events.
  3. Select an event from your results.
  4. Click on the arrow underneath the timestamp for this event. This opens a menu.
  5. Select "Extract Fields". This opens the interactive Extract fields window.
  6. screenshow_uploadLocal
  7. Follow the instructions on the page. For example, you might want to add fields for username, source IP, and destination IP.

Tag field values

Tags help you group search results that share field values. A tag is a name that you attach to a a particular value of a field such as eventtype, host, source, or sourcetype. For example, you can tag hosts values with a service name or a note indicating compliance with regulations like PCI.

Generally, you can use tags to:

  • Help you track abstract field values, like IP addresses or ID numbers. which you can group with a location or name.
  • Use one tag to group a set of field values together, so you can search on them with one simple command.
  • Give specific extracted fields multiple tags that reflect different aspects of their identity, which enable you to perform tag-based searches that help you quickly narrow down the results you want.

There are two ways to search for a tag; you can search for the tag across all events or in a particular field.

  1. If you want to find any event with a field that was tagged deny:
  2. screenshow_uploadLocal
  3. If you want to find only events with an event type tag, deny:
  4. screenshow_uploadLocal

Learn more about Splunk Knowledge

There’s more that you can do to best use and extend Splunk so that it works with your data in a manner that fulfills the needs of your enterprise. You'll want to consult the ${_("Knowledge Manager manual")} as you optimize, maintain, and expand your Splunk deployment over time.

The Knowledge Manager manual teaches you:

  • How to manage and maintain Splunk "knowledge objects" such as events, event types, fields, source types, tags, and transactions.
  • Best practices for working with fields, including lookups and aliasing.
  • Strategies for grouping conceptually related events into transactions.

Monitor and alert

After you use Splunk to identify and locate problems in your system, take advantage of its monitoring and alerting capabilities to keep you notified if those situations recur. Configure any search to run on a set schedule. Set up any scheduled search to alert you when the search results meet conditions that you define. Note: This feature is not available in the when you use Splunk with a Free license. If you are using Splunk with an Enterprise Trial license, you won't have access to this feature after your trial expires.

Schedule a search

  1. Create a search that returns results that you want to be alerted on, like server failure or network intrusions.
  2. When your search is done running, select Save search from the status bar over the timeline:
  3. screenshow_uploadLocal
  4. Fill out the basic search details in the Save Search window.
  5. Then, pick "Schedule search" to reveal the scheduling options:
  6. screenshow_uploadLocal
  7. Set more options by following the rest of the directions on the page.

Set up an alert

Once you've scheduled your search, turn it into an alert.

  1. Specify conditions that must be met before Splunk alerts you.
  2. screenshow_uploadLocal
  3. Then set up one or more alert methods. Make sure your Splunk server has sendmail (or another MTA) enabled if you want Splunk to email you.

Report and analyze

Create reports with Splunk's built-in visualization tools. Splunk gives you a wide range of options when it comes to reporting. Create simple "top values over time" reports directly from your search results. Use Report Builder to define and format sophisticated charts. Or define reports by hand using Splunk's powerful statistical commands. Finally, you can quickly create dashboards that share your best reports with others.

  • Create a simple report
  • Use Report Builder
  • Use report commands
  • Preview reports
  • Build dashboards
  • Create a simple report

    After you run a search you can quickly launch reports providing basic information about the fields in your search results.

    1. Navigate to the Search app.
    2. Run a search for any term or field you want to report on.
    3. When your search is done find a field in the search results sidebar that you would like to report on and click it. For example, pick IP address if you want to report on a set of IP addresses.
    4. screenshow_uploadLocal
    5. A popup window appears, displaying information about the field you've selected. You can launch a report for each field. Select a report you'd like to run, such as "average over time" or "top values overall."
    6. screenshow_uploadLocal
    7. Report Builder appears in a separate window, showing a chart based on the event data returned by your search. From here you can reformat the report, save it, print it, and more.

    Use Report Builder

    Launch the report builder to create and format your reports.

    1. Navigate to the Search app.
    2. Run a search for any term or field you want to report on.
    3. In the status bar over the timeline, you'll see a Build report link. Click this link to launch the Report Builder in a separate window. (You don't need to wait for the search to complete before launching the Report Builder.)
    4. screenshow_uploadLocal
    5. The Report Builder opens on the Define Report Contents page. Use this page to set up your reporting parameters through a set of drop-down lists. Start by selecting a Report type. Note that the Report type you choose affects the other options you have for report content definition.
    6. Click Next Step: Format Report when you've finished defining your report content. Splunk takes you to the Format report page, which presents a draft version of the report based on the report content settings you've selected.
    7. screenshow_uploadLocal
    8. Click Format report to change the report formatting. For example, if Splunk gave you a column report and you feel it would look better as a stacked area chart, make the switch. There are many other formatting options available. Create a fancy chart title, change the legend placement, and more.
    9. screenshow_uploadLocal
    10. You're done! Now you can save the report, export its results to a file, print it, or get a URL to the report results that you can share with fellow Splunk users in your organization.

    Use reporting commands

    When you use the Report Builder drop-down lists to define a report, you may notice that Splunk updates the Report Builder search box with the statistical reporting commands Splunk uses to run the report. This section explains how to use these reporting commands directly from the search bar.

    Note: The example searches below utilize information in Splunk's internal index, which is only available to users with Admin permissions.

    1. Navigate to the Search app.
    2. Run a search for any term in your data.
    3. Follow your search terms with a "pipe" character and some basic reporting commands. This basic report, for example, finds the top 5 most common sources in your internal Splunk index:
    4. Select Show report from the status bar to have Splunk build a chart based on your report in Report Builder. Reformat the report if you wish.
    5. Now try a more sophisticated report. This report finds the top 5 sourcetypes in your system according to their total amount of kb throughput, and arranges them in descending order:
    6. There's more information about Splunk reporting commands in Splunk's ${_("User Manual")}.

    Preview reports

    When you run a report, Splunk can preview the report results for you as the search runs. This feature saves you time, especially when running searches across large time periods. Note that report preview is enabled by default for searches that use reporting commands, so try it out on a report over a large period of time.

    1. Navigate to the Search app.
    2. Enter a report into the search bar.
    3. While the report is running, you'll see a preview show up in the results area.
    4. screenshow_uploadLocal
    5. If you're not happy with your report and want to change it before it finishes running, just click the cancel button and edit the search string.

    Build dashboards

    Embed searches and reports in the UI by creating a dashboard. that make your most useful and informative reports available to other users. All you need to have in advance is a set of saved reports that you want to display in dashboard format.

    1. Navigate to the Search app.
    2. Select the Actions dropdown and choose Create new dashboard.
    3. screenshow_uploadLocal
    4. The Create new dashboard window appears. Give the dashboard a short name (Dashboard ID) and long name (Dashboard name). Click Create when you're done.
    5. At first, your dashboard is empty. Click Edit the dashboard to open the Edit window, and choose the panel type and saved search for your first panel. Click Add panel to add your new panel to the dashboard.
    6. Click Edit panel if you want to rename the panel, change its format, or update the search it's based on.
    7. Repeat the last two steps to create more panels. Drag them around until you have them set up the way you want them.
    8. You're finished! Click Close to see how your dashboard looks. If you see stuff you want to change, go to the Action menu at the top of the page, select Edit dashboard..., and fix them.

    More

    Looking for more information about what you can do with Splunk? Here are a few more links to Splunk's online documentation.