Search Syntax
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Search Syntax
Keywords
Splunk search terms are not case-sensitive except for Boolean AND, OR, and NOT operators. Keywords must contain no punctuation marks other than _ or - and must be separated by white space. The order of keywords does not matter, except for some modifiers that can only have one value per search. See below for details.
Wildcards *
Wildcards may be placed at the start or end of regular search terms, or at the end of modifier terms.
+Literals
Terms preceded with a + are treated as literal strings, not search modifiers.
"Quotation marks"
Quoted strings that contain breaking characters are not currently supported. Searches that include quotation marks may return no matches.
Punctuation marks
Most punctuation marks such as . , ! % $ / \ [ ] { } < > @ = + & #, etc, are treated as breaking characters between keywords in the Splunk index. They are not searchable. Your Splunk administrator may reconfigure the default settings. There is currently no way to automatically list all breaking characters.
Boolean operators
AND, OR, NOT
The logic operators AND, OR, and NOT are supported. They must be completely uppercase or they will be treated as regular keywords. XOR is not supported.
( Parentheses )
Parentheses must have spaces both before and after them, e.g. ( foo NOT ( bar OR baz ) ). You must use parentheses when mixing OR and NOT in the same search.
Precedence
Boolean operators are evaluated in this order:
- ( )
- OR
- AND, NOT
Meta Data
Meta data is important indentifying and classifying information that Splunk adds to each event in its index.
Modifiers take the format name::value. They do not have default values.
Your Splunk administrator may configure additional meta data values to those listed here. There is currently no way to get a full list from the index.
eventtype::
The uniquely identifed kind of event, as determined by the Splunk Server when it indexed the event.
eventtypetag::
Optional tags added by users to an event type.
host::
The originating host of the event, as determined by the Splunk Server when it indexed the event.
hosttag::
Optional tags added by users to a host value.
source::
The file, FIFO, network port, database table, or other source from which the event was originally indexed.
sourcetype::
The uniquely identified kind of data in the source when it was indexed.
linecount::
Events that were linemerged from exactly n original lines in the source file or data stream.
timestamp::none
Events that did not have any detectable timestamp (i.e., another time rule was used).
year::
Events from the specified year. This value is not displayed in the results, except for the timestamp.
month::
Events from the specified month. This value is not displayed in the results, except for the timestamp.
mday::
Events from the specified day of the month. This value is not displayed in the results, except for the timestamp.
wday::
Events from the specified day of the week, for example wday::sunday. This value is not explicitly displayed in the results.
hour
Events from the specified hour from 0 through 23.
minute::
Events from the specified minute from 0 through 59.
second::
Events from the specified second from 0 through 59.
zone::
Events from the timezone specified in minutes ahead of UTC, for example zone::480, or zone::local.
Modifiers
Modifiers take the format name::value. Most do not have default values. Some can only be used once in a search, as noted below, while most can appear several times in the same search with different values.
Modifiers may appear anywhere in a splunk command - before, after, or in between regular keywords and Boolean operators.
daysago::
Events whose timestamps are within the last N days.
hoursago::
Events within the last N hours.
minutesago::
Events within the last N minutes.
index::
The index to search - main, default, history, splunklogger or, on Splunk Professional, another index defined by the administrator. Only the first declaration will be evaluated.
maxresults::
The maximum number of results to return. The default is 10,000. Only the first declarationthe current event. You cannot manually enter related searches; you need to click the Related link on a specific event. The value assigned to a related search is a hash value that only makes sense to the server. Unlike all other current Splunk searches, related results are sorted by relevance rather than by time.
report::
Format results as a SQL query results table rather than the regular Splunk format. The only available table is resultstable, which contains your search results, and the only supported operation is SELECT, e.g. report::[select _ip, _url from resultstable]
savedsplunk::
The search terms from the specified Saved Splunk. Saved Splunk references can be nested.
server::
Events that are found on the specified Splunk Server in a Splunk-2-Splunk distributed search.
similar
Events whose event type signature is somewhat like that of the current event. There is no similar modifier; it's a special syntax version of eventtype of the form eventtype::?value-degrees_of_separation, e.g. eventtype::?23-3.
Events with rare values in common, such as an IP address or username. There is no way to specify related:: from the command line; it's a special hash value.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.