Search syntax

Search syntax

Splunk searches are designed to make searching your data easy by allowing you to perform a variety of simple term and phrase searches with Boolean and comparison logic using the Splunk search command. Use a Splunk search to explore your indexed data, and operate on it by piping search results to a variety of powerful commands to perform statistics and structured analysis on the results. Refer to the Search pipeline syntax reference for more about the search pipeline. For example:

Search for error events from access logs.

Keyword search

Search your data for any whole or part of a keyword by typing it into the search bar. Search for any number of keywords that you like in a single search. Separate multiple keywords by using whitespace. Splunk treats the whitespace between keywords as an AND operator. Also, keywords are not case-sensitive.

Search for "10." anywhere in your data.

Search for events containing "apache" and "error".

Literals ("quotes")

Search for any literal term by wrapping it in double quotes. To search for the literal equal sign, you must wrap the search term in double quotes. For example, to search for the string a=b rather than the field a with the value b you must search:

In general, Splunk recommends that you wrap terms that have punctuation or whitespace in double quotes.

Make search case sensitive

Use the regex command to match events generated in a search to an exact string of characters (including case sensitive terms pronouns). Search for all events, and then filter your search results using a regex. For example, search for the word "ERROR" in all of your events:

Search for an asterisk (*)

You can't search for an asterisk (*) character as it is always treated as a wildcard within the search command. To search for a literal asterisk, you need to search for all data and filter out results that don't contain an asterisk (using the regex command).

Here's the search you need to execute to search for an asterisk:

Wildcards

Use wildcards to search for keywords or phrases that match a partial string of characters. Place wildcards at the beginning, middle, or end of a string of characters.

Note: You can also use wildcards in fields and field values.

Examples of valid wildcard usage:

• foo*
• *foo
• f*oo
• *foo*
• *f*o*o*
• /var/log/*

Punctuation marks

In general, Splunk recommends that you wrap terms that have punctuation or whitespace in double quotes. Splunk uses many punctuation characters as breaking characters for keywords in its index. Punctuation such as: . , ! % $ / \ [ ] { } < > @ = + & and # are considered breaking characters by default. Your Splunk administrator can customize what characters are breaking characters by tuning segmentation. However, in almost all cases it is recommended that a literal search, using double quotes, be used to find specific punctuation in events rather than changing breaking characters.

Boolean operators

Use Boolean operators to group search arguments together in a search. Splunk supports the Boolean operators: AND, OR, and NOT. Boolean operators must be completely uppercase or they are treated as regular keywords.

The terms in a Boolean expression are evaluated in the following order of precedence:

1. Parenthetical terms.

2. OR

3. AND, NOT

Use parentheses to group Boolean operator expressions together. Parentheses must have spaces on the outer (convex) side of them. Parentheses must be used when mixing OR and NOT in the same search.

Examples of correct usage:

Examples of incorrect usage:

Comparison operators

Use comparison operators (=, !=, <, >, <=, >=) to exactly match a value, or a range of field values in the argument of any search command.

Note: You can only use <, >, <=, and >= with numerical field values.

Operator	Example	Effect
=	field=foo	Field values that exactly match "foo".
!=	field!=foo	Field values that don't exactly match "foo".
<	field<x	Numerical field values that are less than x.
>	field>x	Numerical field values that are greater than x.

• Was this topic useful?
• Post a comment