Clicking to modify your search

Though you can probably figure it out by just clicking around, it is worth discussing the behavior of the GUI when moving your mouse around and clicking.

• Clicking on any word or field value will give you the option to Add to search or Exclude from search (the existing search) or (create a) New search:
  
• Clicking on a word or a field value that is already in the query will give you the option to remove it (from the existing query) or, as above, (create a) new (search):
  

Event segmentation

In previous versions of Splunk, event segmentation was configurable through a setting in the Options dialog. In version 6.2, the options dialog is not present – although segmentation (discussed later in this chapter under field widgets section) is still an important concept, it is not accessible through the web interface/options dialog in this version.

Field widgets

Clicking on values in the Select Fields dialog (the field picker), or in the field value widgets underneath an event, will again give us an option to append (add to) or exclude (remove from) our search or, as before, to start a new search.

For instance, if source="C:\Test Data\TM1ProcessError_20140623213757_temp.log" appears under your event, clicking on that value and selecting Add to search will append source="C:\\Test Data\\TM1ProcessError_20140623213757_temp.log" to your search:

To use the field picker, you can click on the link All Fields (see the following image):

Expand the results window by clicking on > in the far-left column. Clicking on a result will append that item to the current search:

If a field value looks like key=value in the text of an event, you will want to use one of the field widgets instead of clicking on the raw text of the event. Depending on your event segmentation setting, clicking on the word will either add the value or key=value. The former will not take advantage of the field definition; instead, it will simply search for the word. The latter will work for events that contain the exact quoted text, but not for other events that actually contain the same field value extracted in a different way.

Time

Clicking on the time next to an event will open the _time dialog (shown in the following image) allowing you to change the search to select Events Before or After a particular time period, and will also have the following choices:

• Before this time
• After this time
• At this time

In addition, you can select Nearby Events within plus, minus, or plus or minus, a number of seconds (the default), milliseconds, minutes, hours, days, or weeks:

One search trick is to click on the time of an event, select At this time, and then use the Zoom out (above the timeline) until the appropriate time frame is reached.