search

search

Synopsis

Retrieves events from an index and filters them using keywords or key/value expressions.

Syntax

... | search [<index-specifier>]? [<logical-expression>]?

Arguments

<index-specifier>

Syntax: index=<string>

Description: Search the specified index instead of the default index.

<logical-expression>

Syntax: <time-opts>|<search-modifier>|((NOT)? <logical-expression>)|<index-expression>|<comparison-expression>|(<logical-expression> (OR)? <logical-expression>)

Description: Includes time and search modifiers; comparison and index expressions.

Logical expression

<comparison-expression>

Syntax: <field><cmp><value>

Description: Compare a field to a literal value or values of another field.

<index-expression>

Syntax: "<string>"|<term>|<search-modifier>

<time-opts>

Syntax: (<timeformat>)? (<time-modifier>)*

Comparison expression

<cmp>

Syntax: = | != | < | <= | > | >=

Description: Comparison operators.

<field>

Syntax: <string>

Description: The name of a field.

<lit-value>

Syntax: <string> | <num>

Description: An exact, or literal, value of a field; used in a comparison expression.

<value>

Syntax: <lit-value> | <field>

Description: In comparison-expressions, the literal (number or string) value of a field or another field name.

Index expression

<search-modifier>

Syntax: <field-specifier>|<savedsplunk-specifier>|<tag-specifier>

Time options

<timeformat>

Syntax: timeformat=<string>

Description: Set the time format for starttime and endtime terms.

<time-modifier>

Syntax: <earliest> | <latest>

Description: Specify start and end times.

Examples

Example 1: Keep only search results that have the specified "src" or "dst" values.

Example 2: Search for events with either codes 10 or 29, and a host that isn't "localhost" and an xqp that is greater than 5

Example 3: Search for events with "404" and from host "webserver1"

• Was this topic useful?
• Post a comment