Extracting insights from Splunk Enterprise

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Getting your data in is just the beginning - it's what you do with it that counts.

Search

Understanding how to search in Splunk is the basis for almost everything you build, so we recommend taking your time to get familiar with our web-based interface (Splunk Web), the command line interface (CLI), and Splunk SPL.

Take a look at our handy Search Manual, which outlines the keys of parts of getting started with search. It also includes a Search Tutorial for step-by-step guidance to try it out yourself.
You can also watch our Search basics Tech Talk, a 20 minute webinar introduction to searching in Splunk Enterprise.

Keep this Splunk quick reference guide by your side as you start to use search for a convenient reference card with the most important fundamentals.

Search Processing Language (SPL)

SPL is the Splunk search language. Use our Search Reference Guide to find a catalog of the search commands with complete syntax, descriptions, and examples. Additionally, this manual includes quick reference information about the categories of commands, the functions you can use with commands, and how SPL relates to SQL.

Find tips and tricks for search commands in Lantern's product tips. Take some time to understand how to specify time ranges, as restricting, or filtering, your search criteria using a time range is the easiest and most effective way to optimize your searches.

Splunk Platform REST API

Use these tutorials to see how you can use Splunk's REST API and learn about available endpoints and operations for accessing, creating, updating, or deleting resources.

Reports

Once you have conducted a search, you can save it as a report for later reuse. To get started, Creating reports in Splunk Enterprise to learn how to create reports to share with your users that can be scheduled to run automatically, saving you time. Once you have a report, you can do things such as:

Manually create and edit reports. Add reports to the Report listing page from either Search or Pivot. In Splunk Enterprise, configure a report manually in savedsearches.conf. Convert a dashboard panel to a report. Share your report with others by changing its permissions.
Accelerate slow-completing reports, either during the report creation process or at a later point in time.
Set up scheduled reports, which are reports that run on a regular interval and which trigger an alert action (such as the sending of an email with search results) each time they run. Scheduled reports are also used for summary indexing.
Configure the priority of scheduled reports. Learn how the Report Scheduler manages multiple concurrent reports and learn how to configure your Report Scheduler options.
Understand how to generate PDFs of reports, dashboards, searches, and pivots. Enable non-Latin fonts in PDFs. In Splunk Enterprise, configure PDF generation by editing .conf files. Review the exceptions to this functionality.

Dashboards

You can also save searches and reports to dashboards. Creating powerful dashboards is important, as it lets you share insights that turn your data into doing. We have two dashboard-building experiences for you to use:

Classic (Simple XML) dashboards. Our original dashboarding experience that uses Simple XML as the source code and has a limited user interface but offers flexibility for custom code and complex interactivity.
Dashboard Studio. Our intuitive, point-and-click experience with customizable formats and advanced visualization tools best for quickly and easily building story-telling dashboards. To learn more, watch the Dashboard Studio Tech Talk and follow the Dashboard Studio tutorial.

For more information on their differences, check out these side-by-side capability comparisons. For more details, check out our documentation for getting started with dashboards and visualizations.

Keep this Dashboards quick reference guide by your side as you build your dashboards for a convenient reference card with the most important fundamentals.

Splunk dashboard tips

When you’re getting started with dashboards, be sure to follow these dashboarding best practices for long-term success once your dashboards are in production. Also check out the collection of dashboard how-to videos on Splunk YouTube.
As you continue to grow your dashboarding skills, be sure to check out our plethora of .conf (our annual user conference!) sessions with advanced tips and techniques to customize your dashboards for any use.

Alerts

Use alerts to monitor for and respond to specific events. Alerts use a saved search to look for events in real time or on a schedule. Alerts trigger when search results meet specific conditions. You can use alert actions to respond when alerts trigger. Review the alerting workflow to understand the different parts of setting up alerts.

You will continue to see how powerful alerts can be, which will make you want to set up many more! But beware of alert fatigue. Learn how to prevent and address alert fatigue.

Additional resources

.conf23 talk: SPL for all the things (but here's how to learn about your dataset first)
.conf23 talk: Lesser-known search commands part 1
.conf23 talk: Splunk Dashboard Studio for beginners and non-designers
.conf23 talk: Dashboarding wowzas - top tips for making your dashboards awesome
.conf talk: What's new in Splunk dashboards
.conf talk: Splunk dashboard journey: Past present and future
.conf talk: Build your own custom data visualizations on dashboards

Previous step

Next step