Databases Reference
In-Depth Information
You cannot use different time ranges in the same query; for instance, in
a Boolean search,
(earliest=-1d@d latest=-0d@d bob error)
OR (earliest=-2d@d latest=-1d@d mary error)
will not
work. The
append
command provides a way of accomplishing this.
_indextime versus _time
It is important to note that events are generally not received at the same time as
stated in the event. In most installations, the discrepancy is usually of a few seconds,
but if logs arrive in batches, the latency can be much larger. The time at which an
event is actually written in the Splunk index is kept in the internal field
_indextime
.
The time that is parsed out of the event is stored in
_time
.
You will probably never search against
_indextime
, but you should understand that
the time you are searching against is the time parsed from the event, not the time
at which the event was indexed.
Making searches faster
We have talked about using the index to make searches faster. When starting a new
investigation, following a few steps will help you get results faster:
1.
Set the time to the minimum time that you believe will be required to locate
relevant events. For a chatty log, this may be as little as a minute. If you don't
know when the events occurred, you might search a larger time frame and
then zoom in by clicking on the timeline while the search is running.
2.
Specify the index if you have multiple indexes. It's good to get into
the habit of starting your queries with the index name, for example,
index=myapplicationindex error bob
.
3.
Specify other fields that are relevant. The most common fields to specify
are
sourcetype
and
host
, for example,
index=myapplicationindex
sourcetype="impl_splunk_gen" error bob
.
If you find yourself specifying the field
source
on a regular basis,
you could probably benefit from defining more source types. Avoid
using the
sourcetype
field to capture other information, for instance
datacenter or environment. You would be better off using a lookup
against
host
or creating another indexed field for those cases.
Search WWH ::
Custom Search