Skip to content

Splunk Basic Searching Guide with Tutorial Data

Introduction

This guide provides a basic overview of searching in Splunk using the tutorial data provided by Splunk. The tutorial data includes sample logs and events that you can use to practice searching and analyzing data in Splunk.

Step 1: Download and Extract Tutorial Data

  1. Download the tutorial data (tutorialdata.zip) from the Splunk website or use the following link:

https://docs.splunk.com/Documentation/Splunk/9.1.0/SearchTutorial/Systemrequirements#Download_the_tutorial_data_files

Step 2: Start Splunk

  1. Start Splunk if it is not already running:

    sudo /opt/splunk/bin/splunk start

  2. Access Splunk Web in your browser:

    http://<your server ip>:8000

  3. Log in using your credentials.

Step 3: Index the Tutorial Data

  1. In Splunk Web, go to Settings > Add Data.

  2. Drag the downloaded tutorialdata.zip to be uploaded then click next.

  3. Create a new index named tutorial, you can leave everything at default.

  4. Click Next and follow the on-screen prompts to index the tutorial data.

  5. File should now be uploaded successfully.

Step 4: Basic Searches

  1. In Splunk Web, go to the Search & Reporting app.

  2. Perform a basic search to retrieve events. For example: This searches for events in the "tutorial" index.

    index=tutorial

Note: If there are no results showing, make sure to make the time span is set to All time ; see screenshot below. All-time

Step 5: Experimenting with different search queries to filter and analyze the data.

  1. Use the 2 search terms below:

    index=tutorial 404

    index=tutorial status=404

  2. You can see that the number of results are different on the 2 searches, and you can filter your results more by using specific fields instead of using wildcards.

Conclusion

Congratulations! You have successfully performed basic searches using Splunk's tutorial data. Continue to explore and experiment with different search queries to enhance your Splunk skills.