Filtering and re-ordering commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Filtering and re-ordering commands
page
This data-processing command displays a particular subset of search results. It processes search results by calling a specified subsearch string argument until the maximum number of iterations are made, or the maximum number of results are retrieved. It is typically only used in API search requests.
Syntax
page page-range maxresults [subsearch-string]
Arguments
| page-range= | integer-integer | (lower-upper) Specifies the lower and upper boundaries for page iterations. |
| maxresults= | integer | Specifies the maximum number iterations to perform. |
| subsearch-string | Specified subsearch string to call. |
Examples
SplunkWeb:
page 1-10 500 [search *] | outputxml format::raw- Return results 1 through 10 of the search over maxresults of 500
regex
This data-processing command removes results that do not match the specified regular expression. It accomplishes this by matching the values of fields to the expression. You can specify for the regex to keep events that match the expression, or to keep those that do not match.
Syntax
regex field (= | !=) regular expression
Arguments
| field= | field name | Field to match to the regular expression. |
| regular expression= | "string" | string | A PCRE (Perl Compatible Regular Expression) supported by the pcre library to match field values to. |
Note: if you want to use the "or" ("|") command in a regex argument, the whole regex expression must be surrounded by quotes (ie. regex "expression").
Examples
SplunkWeb:
- | regex _raw=(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)
- Selects events whose _raw field contains ip addresses in the non-routable class A (10.0.0.0/8).
CLI:
./splunk search "* | regex _raw=(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"
- Selects events whose _raw field contains ip addresses in the non-routable class A (10.0.0.0/8).
set
This data-processing command performs set operations on subsearches.
Syntax
set set-operator [subsearch1] [subsearch2]
Arguments
| set-operator= | UNION | DIFF | INTERSECT | Defines the set operation to perform. Union = "+", diff= "-", intersect = "^". |
| subsearch1= | string | The first search string to pass to the set operator. |
| subsearch2= | string | The second search string to pass to the set operator. |
Examples
SplunkWeb:
index::sampledata | set diff [search 404 | select url] [search 303 | fields url]- Return all urls that have 404 errors but no 303 errors.
CLI:
./splunk search "index::sampledata | set intersect [search 404 | select url] [search 303 | fields url]"
- Return all urls that have 404 errors and 303 errors.
sort
This data-processing command sorts the search results by the given list of fields. It will return the original results, ordered according to the specified arguments.
If given more than one field, the first field passed will be the primary sort order(second=secondary... etc.). If the field is preceded by "+", then the sort will be ascending. If the field is preceded by "-", then the sort will be descending. If no "+" or "-" is specified, the sort will be ascending by default.
Syntax
sort [+ | -]field-list... [d | desc]
Arguments
| += | + | Causes the sort to be ascending. This is the default. | |
| -= | - | Causes the sort to be descending. | |
| field-list= | field1,...,fieldx | Space or comma-separated list of fields to pass to the sort. | |
| d | desc= | (d | desc) | If specified, causes sort order to be reversed. |
Examples
SplunkWeb:
404 | sort ip, url- Sort results by ip and then url.
CLI:
./splunk search "* | sort +ip, -url"
- Sort results by ip ascending and then url descending.
uniq
This data-processing command filters results by removing exact duplicates of results from the search result list. The returned result list contains the first instance of each unique item in the results returned by your search.
Syntax
uniq
Arguments
None.
Examples
SplunkWeb:
index=main 404 /doc | uniq | top limit=10 referer - Searches the main index for 404 errors for any URL with "/doc", removes duplicate entries (with
uniq), and then yields a report of the top 10 404's based on the referer.
where
This data-processing command performs arbitrary filtering on results using SQLite WHERE clause syntax. Use SQLite syntax for the arguments to where.
Refer to the SQLite online documentation for a reference on SQLlite expressions.
Note: where doesn't support the SQLite commands "|" and "| |" (double-bar and single-bar). "|" is used in Splunk's search language to separate commands in a search string. Quotes should be used to signify a literal string. Numbers should not be quoted.
Note: SQLite evaluates comparison expressions with non-identical type parameters. where treats quoted literal expressions as strings ( "123" is a string, NOT a number). When where performs a non-identical type comparison, the following precedence rule applies:
- NULL < numeric type < string type (or "quoted" literal)
Syntax
where filtering-expressions
Arguments
| filtering-expressions | A valid SQLite WHERE clause expression. If no filter clauses are specified, results are not filtered. Quotes are optional with where. In SQLite, they are mandatory. Example: "where == 80" is the same as "where == '80'"
|
Examples
SplunkWeb:
host::CheckPoint | where (src LIKE "10.9.165.%") OR (dst LIKE "10.9.165.%")- Performs a search on host="CheckPoint" on src and dest fields looking for an ip address range of: 10.9.165.x/24. Notice that
whereuses SQLite syntax wildcards "%" instead of Splunk search syntax wildcards "*".
CLI:
./splunk search "* | where host="localhost""
- Returns any events whose host field matches localhost.
This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.