Searching in Splunk

When you are building the search criteria, click the field and value in the search result to add it to the search.

 

Wildcard character

  • * (asterisk) one or multiple characters

Exact phrases

  • Use ” (double quotes)

Search for quotes

  • \” (use backslash to escape quotes if you want to search for quotes)

Keywords in the search bar are case sensitive!

Boolean keywords are

  • AND (if omitted, it is implied)
  • OR
  • NOT

Order of boolean evaluation

  1. Inside parentheses ()
  2. NOT
  3. OR
  4. AND

Operators

  • =
  • !=
  • >
  • >=
  • <
  • <=

 

Splunk installation

Install Splunk

  1. Navigate to the Splunk website at splunk.com,
  2. In the upper right corner select the Free Splunk button,
  3. If you don’t yet have a Splunk account, register to create one, otherwise log in,
  4. Select the Free Download in the Splunk Enterprise frame,
  5. Select the tab with the operating system of your machine.

Linux

  1. The simplest way to install Splunk on Linux is with wget in the command line. Click the Download via Command Line (wget) in the upper right corner in the Useful Tools box.
  2. Copy the command to your clipboard from the popup window,
  3. Execute the wget command in a terminal window to download the tar archive,
  4. It is recommended to install Splunk in the opt directory, untar the archive there.
    sudo tar xvzf splunk.tgz –C /opt

Windows

  1. Download the .msi installer for your operating system (32 bit or 64 bit),
  2. Run the installer, follow the prompts, and accept the license agreement,
  3. Use Local System to run Splunk under.

Macintosh OSX

  1. Select the .dmg installer for simpler installation,
  2. Follow the prompts to install the application,
  3. At the end of the installation select Start and Show Splunk to start the application and view the user interface in a browser.

 

To start, stop, and administer Splunk

Linux

  1. In a terminal window navigate to the Splunk bin directory
    cd /opt/splunk/bin
  2. To Start Splunk and accept the license agreement during the first start
    ./splunk start --accept-license
  3. The terminal window displays the Splunk web interface address in the The Splunk web interface is at … line. Open a browser to navigate to the address.
  4. To start, stop, and restart the instance, and get help execute
    ./splunk start
    ./splunk stop
    ./splunk restart
    ./splunk help

Macintosh OSX

  1. In a terminal window navigate to the Splunk bin directory
    cd /Applications/Splunk/bin
  2. To start, stop, and restart the instance, and get help execute
    ./splunk start
    ./splunk stop
    ./splunk restart
    ./splunk help

Logging into Splunk the first time

The initial credentials after installation is
Username: admin
Password; changeme