Clicking to modify your search
Though you can probably figure it out by just clicking around, it is worth discussing the behavior of the GUI when moving your mouse around and clicking.
Clicking on any word or field value will add that term to the search.
Clicking on a word or field value that is already in the query will remove it from the query.
Clicking on any word or field value while holding down Alt (option on the Mac) will append that search term to the query, preceded by
NOT. This is a very handy way to remove irrelevant results from query results.
Event segmentation
In Chapter 1, The Splunk Interface, we touched upon this setting in the Options dialog. The different options change what is highlighted as you mouse over the text in the search results, and therefore what is added to your query when clicked on. Let's see what happens to the phrase ip=10.20.30.40 with each setting:
inner highlights individual words between punctuation. Highlighted items would be ip, 10, 20, 30, and 40.
outer...
