Documentation > Splunk > User Manual > Search syntax overview

User Manual

 


About Splunk
Tutorial
Reference

Search syntax overview

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Search syntax overview

A Splunk search consists one or more commands and their arguments. Any search must have at least one data-generation command. The data generated can then be used by other commands in a search pipeline.


A data-generation command is a command that generates data. The most common data-generation command is search which retrieves data persisted in a Splunk index, but there are other data-generation commands as well. The remote, savedsearch , and run commands all generate data that can be used in Splunk searches.


search is made up of a search statement followed by search arguments. Search arguments alter the results of the search by specifying what data to operate on, what additional instructions to follow at runtime, and what indexed terms to search for specifically. The search argument can contain a subsearch.


The search pipeline is composed of commands and arguments that process data generated by the search command and the other data-generation commands.


Search arguments alter the results of the search by specifying what data to operate on, what additional instructions to follow at runtime, and what indexed terms to search for specifically. The search argument can contain a subsearch. Search arguments can be literal keywords, wildcards, Boolean expressions, search field="value" pairs, modifier="value" pairs, and subsearches.


The search command arguments are defined in later sections.


Syntax definition

search ::= data_generation_command [ search_pipeline ] 


 data_generation_command ::= 	search_command | remote_command | savedsearch_command | run_command



     search_pipeline ::= 	"|" [command] [ search_pipeline ]



 search_command ::= 	search [search_argument]



    search_argument ::= 	[keywords]  [indexed_field="value"] [modifier="value"] [search_command]




      subsearch ::= 	search_command "[" search "]"



 remote_command ::= 	remote [server","...","server] | [server" "..." "server] [search_pipeline]



 savedsearch_command::= 	savedsearch [name of saved search]



 run_command ::= 	run [run argument]


Syntax for subsearches

A subsearch is a search with a search command as an argument.


search_command ::= search search_argument


search_argument ::= keyword "|" search_field=value "|" modifier="value" "|" subsearch


subsearch ::= search_command "[" [ search ] "]"


The search command is made up of a search statement followed by search arguments.


Tuning search performance

Splunk's searches are optimized for text-based searching of raw event data. Search speed is dependent on how your Splunk install is configured. You can improve the speed of your searches by editing the configuration files, and by downloading various add-ons through SplunkBase. Read more about tuning search performance here.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.0.2/User/SearchSyntaxOverview"

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!