General practices
Of course we can search whatever we want in Splunk, using it in a similar way to the way we use Google, for our log files, but there are some ways to make searching itself more efficient, and faster. There are a few things to understand when making your query practice more efficient, and I will use a few that are commonly overlooked.
This may be more editorial than technical, but it might be helpful here, to quickly describe the three components of a Splunk search before starting to explain core search. This seems to help a lot of people to understand searching as a concept:
Core search (what data will be included in the search?):
Function or calculation
Formatting or presentation
Let's see an example of them:
Perform a Core search:
Index=test index sourcetype=bookstuff action=purchase
Then add a function or calculation:
Index=test index sourcetype=bookstuff action=purchase | stats avg(latency) as Delay by hostThen tell Splunk how to present...
