Skip to main content
 
 
Splunk Lantern

Extracting insights from Cloud Platform

 

Getting your data in is just the beginning - it's what you do with it that counts.

Search

Understanding how to search in Splunk is the basis for almost everything you build, so we recommend taking your time to get familiar with our web-based interface (Splunk Web), the command line interface (CLI), and Splunk SPL.

  • Take a look at our handy Search Manual, which outlines the keys of parts of getting started with search. It also includes a Search Tutorial for step-by-step guidance to try it out yourself.
  • You can also watch our Search Basics Tech Talk, a 20 minute webinar introduction to searching in Splunk Enterprise.
  • Keep this Splunk quick reference guide by your side as you start to use search for a convenient reference card with the most important fundamentals.

Search Processing Language (SPL)

SPL is the Splunk search language. Use our Search Reference Guide to find a catalog of the search commands with complete syntax, descriptions, and examples. Additionally, this manual includes quick reference information about the categories of commands, the functions you can use with commands, and how SPL relates to SQL.

Find tips and tricks for search commands in Lantern's product tips. Take some time to understand how to specify time ranges, as restricting, or filtering, your search criteria using a time range is the easiest and most effective way to optimize your searches.

Not a SPL expert? Download the Splunk AI Assistant for SPL app to easily generate SPL from natural language. This generative AI-powered app also reduces your learning curve by explaining SPL code in natural language and helps provide product answers from documentation (learn more).

 

 

Splunk Platform REST API

Use these tutorials to see how you can use the Splunk REST API and learn about available endpoints and operations for accessing, creating, updating, or deleting resources.

Federated search

Federated search provides the capability to seamlessly search across multiple Splunk environments (including Splunk Cloud and on-premise) as well as Amazon S3 from a single user interface. It allows you to unlock new, cross-functional insights by breaking down data silos, all while managing security requirements with role based data access controls. Splunk currently offers two federated search capabilities:

  • Federated Search for Splunk allows you to search datasets outside of your local Splunk platform deployment, from your local search head. You can run a federated search across any remote Splunk Cloud Platform or Splunk Enterprise deployment, giving you a holistic view of datasets across multiple Splunk platform deployments.
  • Federated Search for Amazon S3 allows you to search data from your Amazon S3 buckets from your Splunk Cloud Platform deployment without the need to ingest or index it first. 

Federated Search for Amazon S3 helps to optimize costs by leveraging low storage costs from Amazon S3 to correlate with datasets external to Splunk. This is ideal for investigations that require as-needed access to historical, archival, or low-value data. In addition, you can still run SPL searches, create dashboards, reports, and correlate data between Amazon S3 and Splunk. Common use cases include the following: 

  • Perform forensic investigations directly on historical data stored in Amazon S3 at rest. 
  • Run large statistics searches over historical data in Amazon S3. 
  • Leverage Amazon S3 as part of their data tiering strategy to store data outside of retention period.

Federated Search for Amazon S3 is available for Splunk Cloud Platform stacks hosted on AWS running on version 9.0.2305 and is supported via an integration with AWS Glue Data Catalog. Learn more about what you need to get started. 

Reports

After you have conducted a search, you can save it as a report for later reuse. When you have a report, you can do things such as:

Dashboards

You can also save searches and reports to dashboards. Creating powerful dashboards is important, as it lets you share insights that turn your data into doing. Splunk Cloud Platform has two dashboard-building experiences:

For more information on their differences, check out these side-by-side capability comparisons.

Keep this Dashboards quick reference guide by your side as you build your dashboards for a convenient reference card with the most important fundamentals.

Splunk dashboard tips

  • When you’re getting started with dashboards, be sure to follow these dashboarding best practices for long-term success once your dashboards are in production. Also check out the collection of dashboard how-to videos on Splunk YouTube.
  • As you continue to grow your dashboarding skills, be sure to check out our plethora of .conf (our annual user conference!) sessions with advanced tips and techniques to customize your dashboards for any use.

Alerts

Use alerts to monitor for and respond to specific events. Alerts use a saved search to look for events in real time or on a schedule. Alerts trigger when search results meet specific conditions. You can use alert actions to respond when alerts trigger. Review the alerting workflow to understand the different parts of setting up alerts.

You will continue to see how powerful alerts can be, which will make you want to set up many more! But beware of alert fatigue. Learn how to prevent and address alert fatigue.

 

Additional resources