Getting Started
Your First Search
Ingest sample data, write SPL, and turn raw events into a dashboard.
SPL is the language Splunk speaks. It reads left-to-right like a Unix pipeline, and you’ll be fluent enough to build a dashboard before this page ends.
Walkthrough #
Ingest the sample data
3 minSplunk ships with a tutorial dataset. Upload it from the Add Data screen, or use the CLI:
splunk add oneshot $SPLUNK_HOME/etc/apps/search/lookups/tutorial.csv \
-sourcetype tutorial \
-index mainOnce the upload finishes, switch to Search & Reporting and pick Last 24 hours as the time range.
Run your first SPL query
5 minType the following into the search bar:
index=main sourcetype=tutorial
| stats count by status
| sort -countEach pipe transforms the previous result. Read the search like a sentence:
“From everything in main of sourcetype tutorial, count events grouped by status, and sort the result descending.”
You should see something like this:
| Status | Count |
|---|---|
| 200 | 24,531 |
| 404 | 1,148 |
| 500 | 312 |
Visualize it
4 minClick the Visualization tab, choose Column Chart, and Splunk renders your aggregation immediately. No JS required.
Save it as a report
3 minTry it yourself #
Exercise
Find the top 5 user agents
Modify the query above to count events grouped by useragent instead of status, and limit the output to the top five.
Show solution
index=main sourcetype=tutorial
| stats count by useragent
| sort -count
| head 5head 5 truncates the result to the first five rows after sorting.
Quick check #
Quick check
Which command aggregates events into a single row?
stats is Splunk’s aggregation workhorse. timechart is also an aggregator, but it always groups by time — useful for line charts, not for collapsing to a single row.Where to next? #
The full SPL reference
Build your first dashboard
SPL is what makes Splunk feel less like a database and more like a conversation with your data.
BETA v9.2 macOS
That’s the end of the Getting Started workshop. From here, pick a topic that matches what you want to build.