Search fields
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Search fields
Search fields are additional fields that are usable when using the search command in addition to the core fields. Search fields can be applied when using the search command to narrow your searches. The complete search field list is longer than what is displayed in the fields list in SplunkWeb.
_raw
Contains the entire event. _raw is the object of the search command, so it cannot be used in a search. However, it can be used by other commands in the search pipeline. In the following example, search results are piped to regex command which operates on the _raw field.
Example:
[search string] | regex _raw=*10.\d\d\d\.\d\d\d\.\d\d\d\*
Get sendmail events that contain an IP address starting with "10".
_serial
A special field containing the serial number of events in a search result. _serial cannot be used in a search, but it can be used with a command that works on a search result.
Example
[search string] | where _serial > 100 AND _serial < 200
_time
Special field that represents an event's timestamp in UTC seconds. _time is used to create the timeline. It cannot be used in a search, however it can be referenced in commands that process searches.
- _time= the minimum time for all events.
- _time+duration = the maximum time. Duration is the difference between the min and max times.
An example of duration would be in a router log where an interface goes and then comes back up. Minimum time would become the first event alerting that the interface is down, maximum time would be the last event saying that the interface is now up and duration would be how long the interface was down.
Example:
[search string]| sort _time, ms
date_hour
Specifies events from the specified hour from 0 through 23.
date_minute
Specifies events from the specified minute from 0 through 59.
date_month
Specifies events from the specified month. This value is not displayed in the results, except for the timestamp.
date_mday
Specifies events from the specified day of the month. This value is not displayed in the results, except for the timestamp. The value range is 1-31.
Example:
date_mday::21
date_second
Specifies events from the specified second from 0 through 59.
date_wday
Specifies events from the specified day of the week. This value is not explicitly displayed in the results. The value range is: sunday-saturday.
Example:
date_wday::thursday
date_year
Specifies events from the specified year.
Example:
date_year::2007
date_zone
Specifies events from the timezone specified in minutes ahead of UTC. The value range is minutes offset from UTC. The range is: -720 to 720.
Example:
date_zone::480
or
date_zone::local
eventtype
Specifies an event type to match. Event types can either be created by the user, or can be created from the automatic event type discoverer.
Example:
eventtype::sendmail_login_failure
eventtypetag
Returns that have specified tags matching the argument.
Example:
eventtypetag::java
endtime
Specifies an end time value that all events must be earlier or equal to.
Example:
endtime::12/31/07:04.45.13
endtimeu
Specifies an end time in seconds since the Unix Epoch began, 12:00:01 January 1, 1970. See http://en.wikipedia.org/wiki/Unix_epoch.
Example:
endtimeu::6278346234283424
linecount
Specifies the number of lines each matching event must have. It cannot take expressions (ie. linecount::>40). To search for events within a specified range, OR together multiple linecount:: statements.
Example:
linecount::40 OR linecount::41 OR linecount::42
punct
Specifies a log entry punctuation pattern to match. Patterns of punctuation often correspond to a set of related log files. The string can be made up of the following characters: ,;-#$%&+./:=?@\\'|*\n\r\"(){}<>[]^!".
Example:
punct::..._-_-_[//:::_-]_\"_//?=_/.\"__
starttime
Specifies a start time value that all events must be later or equal to.
Example:
starttime::01/01/2001:01:01:01
starttimeu
Specifies a start time (in seconds) since the Unix epoch began (12:00:01 am January 1, 1970). See http://en.wikipedia.org/wiki/Unix_epoch .
Example:
starttimeu::9234567891
timestamp::none
Specifies events that did not have any detectable timestamp (i.e., another time rule was used).
user
Specifies the name of a Splunk user. Used when looking up search history via index::history.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.