Databases Reference
In-Depth Information
As we go through the following items in this widget, we see a wealth of information
right away:
•
Appears in X% of results
is a good indication of whether we are getting the
results we think we're getting. If every event in your results should contain
this field, and this is not 100 percent, either your search can be made more
specific or a field definition needs to be modified.
•
Show only events with this field
adds
fieldname="*"
to your existing
search to make sure you only get events that have this field.
If the events you are searching for always contain the name
of the field, in this case
network
, your query will be more
efficient if you also add the field name to the query. In this case,
the query would look like this:
sourcetype="impl_splunk_
gen" network="*" network
.
•
Select and show in results
adds the field to the
selected fields
list at the top
of the field picker and displays the field value under each event.
•
Charts
contains the following links, which we will use as starting points for
examples in
Chapter 3
,
Tables, Charts, and Fields
:
1.
Top values by time
shows a graph of the most common values
occurring in the time frame searched.
2.
Top values overall
shows a table of the most common values for this
field for the time frame searched.
•
Values
shows a very useful snapshot of the top ten most common values.
Using wildcards efficiently
Though the index is based on words, it is possible to use wildcards when needed,
although some care must be taken.
Only trailing wildcards are efficient
Stated simply,
bob*
will find events containing
Bobby
efficiently, but
*by
or
*ob*
will not. The latter cases will scan all events in the time frame specified.
Wildcards are tested last
Wildcards are tested
after
all other terms. Given the search:
authclass *ob* hello
world
, all other terms besides
*ob*
will be searched
first.
. The more you can limit the
results using full words and fields, the better your search will perform.
Search WWH ::
Custom Search