Databases Reference
In-Depth Information
If a field value looks like
key=value
in the text of an event, you will
want to use one of the field widgets instead of clicking on the raw text
of the event. Depending on your event segmentation setting, clicking on
the word will either add
value
or "
key=value
". The former will not
take advantage of the field definition; instead, it will simply search for
the word. The latter will work for events that contain the exact quoted
text but not for other events that actually contain the same field value
extracted in a different way.
Time
Clicking on the time next to an event will change the search to only find events that
happened in that second.
To zoom in to a short time frame, one convenient approach is to click
on the time of an event to search only that second, then click on
Zoom
out
above the timeline until the appropriate time frame is reached.
Using fields to search
When we explored the GUI in
Chapter 1
,
The Splunk Interface
, you probably noticed
fields everywhere. Fields appear in the field picker on the left and under every event.
Where fields actually come from is transparent to the user, who simply searches for
key=value
. We will discuss adding new fields in
Chapter 3
,
Tables, Charts, and Fields
,
and in
Chapter 10
,
Configuring Splunk
.
Using the field picker
The field picker gives us easy access to the fields currently defined for the results
of our query. Clicking on any field presents us with details about that field in our
current search results.
Search WWH ::
Custom Search