Search results

When you run a Splunk search, you'll see that not all of the Splunk Web search results tabs (Events, Statistics, and Visualization) will be populated.

• Event searches: If your search returns only events, only the Events results tab is populated
• Transformational searches: If your search includes transforming commands, you can view the results in the Statistics and Visualization tabs (as well as in the Events tab)
• Transformational commands: Transformational commands transform the event results into numerical values that Splunk can use for statistical purposes, that is, creating charts, tables, and graphs

Transforming commands include the following:

• chart
• timechart
• stats
• top
• rare
• contingency

Some basic Splunk search examples

To illustrate the differences in the results tabs, let's use an earlier search example. You might recall the following search (using a macro that we created):

`TM1Events("october/24/2007")`

This search is a simple events search and will only populate the Events results tab. However, the Statistics and Visualization results tabs are not populated.

Now, we can add a transformation command (in this case, I've chosen to add the timechart command to break up our results from the search day as "events per second") to our search, as follows:

`TM1Events("october/24/2007")` | timechart per_second(date_second)

Now, all the result tabs are populated.

Additional formatting

Splunk also provides several commands to improve the look of your search results. These include the following:

• abstract: This shows a summary of up to five lines for each search result.
• diff: This compares values between search results and shows the differences between the two.
• highlight: This highlights specified terms.
• iconify: This displays a different icon for each event type.
• outputtext: This outputs the _raw field of your current search into _xml.
• scrub: This anonymizes the current search results.
• xmlunescape: This unescapes all XML characters.
• append: This is not a typical formatting command, but it is worth mentioning. This appends the current results to the tabular results of another search result.