Splunk® Cloud Services

SPL2 Search Reference

search command overview

The SPL2 search command retrieves events from one or more index datasets, or filters search results that are already in memory.

You can retrieve events from your datasets using keywords, quoted phrases, wildcards, and field-value expressions. When the search command is not the first command in the pipeline, it is used to filter the results of the previous command.

Syntax

The required syntax is in bold.

search <search-expression>

How the SPL2 search command works

You specify a search expression, such as a keyword or a field-value pair, when you use the SPL2 search> command.

Keyword searches are searches for literal values, terms or phrases, that appear in your events. Use the search command to perform keyword searches against events in your indexes, similar to searching the internet using a web browser. For example, you can search for a literal value such as buttercupgames or itemId.

Keyword searches are not case sensitive. The following search returns any event that contains the term itemId, including all variations of the capitalization of that term, such as itemID, ITEMID, and itemid.

| search itemId

To search for a phrase, enclose the phrase in double quotations. For example, this search returns only those events where the term Windows is immediately followed by a space and the number 10:

| search "Windows 10"

You also use double quotations for terms that contain punctuation, for example:

| search "SC-MG-G10"

Search using field-value pairs

When you are looking for a specific value in a field, identify the field in your search using a field-value pair.

The field name is case sensitive, the field value is not case sensitive.

For example, to search the categoryId field for the value sports, use this search:

| search categoryId=sports

Searching for multiple keywords

When you specify multiple terms to search for, there is an implied AND operator between each term. In the following example, the search looks only for events where the term www2 exists and the categoryId field contains sports:

| search www2 categoryId=sports

This is the same as if you explicitly included the AND operator in your search, such as:

| search www2 AND categoryId=sports

Search expressions

The search command, along with the from command, is one of the most powerful commands in SPL2.

There are a wide variety of search expressions that you can specify with the search command. To learn more about how you can use the search command, see search command syntax details and search command usage for examples of common search expressions.

For a complete description of the types of expressions that you can use in SPL2, see Types of expressions in the SPL2 Search Manual.

See also

search command
search command syntax details
search command usage
search command examples
Last modified on 31 January, 2024
route command overview   search command syntax details

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters