Search modes

For the more advanced Splunker, search modes are quite important, and can save you plenty of time when speaking with a user that isn't very Splunk savvy. I will simply recap these, and mention that by default, Splunk runs in Smart Mode.

If you would like to change the mode in a search, just use the mode selector drop-down menu, below the time range picker, after you run a query.

Fast Mode

Fast Mode in Splunk will search all of the data you ask for, and then only return the essential parts of that data in its result set, as well as the fields you mentioned in your query. This will omit any unused fields, and no event data. So basically ...

Get Splunk Best Practices now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Splunk Best Practices by Travis Marlette

Search modes

Fast Mode

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly