Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Help reading searches

The Search bar contains features to help you read, parse, or interpret the Splunk Search Processing Language (SPL) syntax. The syntax highlighting feature displays parts of SPL in different colors. There are also keyboard shortcuts to help you find information in your searches.

Syntax highlighting

With syntax highlighting, the SPL commands, arguments, functions, and keywords are color-coded to make it easer to read a search.

Consider the following search.

sourcetype=access_* | timechart count(eval(action=purchase)) BY productName usenull=false useother=false


With syntax highlighting turned on, the search is easier to read. This screen image shows the search listed above in the Search bar with syntax highlighting turned on. The commands, arguments, functions, and keywords are in different colors.

By default, syntax highlighting is turned on.

Color codes

The color coding that is used for the search syntax is described in the following table.

Syntax component Color Example
Commands Blue ...timechart
Command arguments Green ...timechart usenull=false
Functions Pink ...timechart count
Keyword modifiers and Boolean operators Orange ...timechart count BY productName

Syntax validation

If a command, argument, function, or boolean operator is not spelled or capitalized correctly, the term is not highlighted in color. The lack of color helps you ensure that the search is using the correct syntax.

If you specify an incorrect data type for an argument, the value is red. For example, the limit argument for the top command expects an integer. If you type ...|top limit=false the term false is highlighted in red because it is not an integer.

Turn off syntax highlighting

You can turn syntax highlighting off.

  1. On the Splunk bar, select [User_account_name] > Account Settings.
  2. This screen image shows the Splunk bar. The user account name "Administrator" is selected. The menu choices are Account Settings and Logout.
  3. In the Search section under Syntax highlighting, select Off.
  4. Click Save.

Search bar shortcuts

In the Search bar, you can use keyboard shortcuts to help you develop, read, and parse your search criteria.

Make searches easier to read

Long searches can be difficult to read. For example, the following search uses multiple commands and includes many occurrences of renaming columns in the search results.

sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | eval viewsToPurchases=(purchases/views)*100 | eval cartToPurchases=(purchases/addtocart)*100 | table productName views addtocart purchases viewsToPurchases cartToPurchases | rename productName AS "Product Name", views AS "Views", addtocart as "Adds To Cart", purchases AS "Purchases"


The following image shows how this search appears in the Search bar.

This screen image shows the search listed above displayed in the search bar.

You can use a keyboard shortcut to parse each pipe section on a separate line. Any subsearches are indented.

  • On Linux or Windows use Ctrl + \
  • On Mac OSX use Command + \


The results of the shortcut are shown in the following image.

This screen image shows the same search with each piped section on a new line in the search bar.

You can also force a new line by using Shift + Enter. See Line and word shortcuts.

Access the Learn More link

When you type a command, a list appears matching commands or arguments. Below the list is a brief description for the command and an example. There is also a Learn More link, which opens the Search Reference in a new window and displays documentation about the command.

To access the Learn More link, use your keyboard. Arrow down to the command or attribute name to highlight the name. Press Tab to highlight the Learn More link and then press Enter to activate the link.

Highlight search terms

  • To highlight all of the occurrences of a word in the search, double-click that word.

This screen image shows the same search with the "addtocart" term highlighted.  All of the other occurrences of "addtocart" are also highlighted.

Locate matching parenthesis

  • To locate the matching parenthesis in your search, position your cursor immediately after an open or close parenthesis. The matching parenthesis is highlighted.

This screen image shows the same search listed above. The cursor is immediately to the right of the open parenthesis in this part of the search that contains the command "eval viewsToPurchases=(purchases/views)*100". There is a highlight on the close parenthesis.

Undo and Redo shortcuts

Use the following keyboard shortcuts to undo and redo actions in the Search bar.

Action Linux or Windows Mac OSX
Undo the previous action. Ctrl + Z Command + Z
Redo the previous action. Ctrl + Y or

Ctrl + Shift + Z

Command + Y or

Command + Shift + Z

Search assistant window shortcuts

With the Compact mode of the search assistant, you can use keyboard shortcuts to select items in the list, and close and reopen the search assistant window.

Action Linux or Windows Mac OSX
Move your cursor into the search assistant window. Down arrow key Down arrow key
Close the search assistant window. ESC ESC
Reopen the search assistant window. Ctrl + Space Control + Space
Select an item in the search assistant window and insert it into the Search bar. Use the Up arrow and Down arrow keys to highlight the item and press Enter. Use the Up arrow and Down arrow keys to highlight the item and press Enter.
Toggle between the list and the Learn More link in the search assistant window. Tab Tab

Find and replace shortcuts

Use the following keyboard shortcuts to find and replace terms in the Search bar.

Action Linux or Windows Mac OSX
Find a term. Ctrl + F Command + F
Find and replace a term. Ctrl + H Command + Option + F

Line and word shortcuts

The distinction between rows and lines is important to understand when you use keyboard shortcuts to manipulate rows or lines in your search criteria in the Search bar.

  • Long searches appear on multiple rows in the Search bar.
  • If the search is not parsed, the search is one line.
  • If the search is parsed, separating each piped section and subsearch into its own line, a row is the same as a line.


Action Linux or Windows Mac OSX
Split the active row at the cursor. Shift + Enter Shift + Enter
Remove the active line. If the search is one line with multiple rows and not parsed into separate lines, the entire search is removed. Ctrl + D Command + D
Copy the active row and place the copy below the active row. Alt + Shift + Down arrow Command + Option + Down arrow
Copy the active row and place the copy above the active row. Alt + Shift + Up arrow Command + Option + Up arrow
Move the active row down one row. Alt + Down arrow Option + Down arrow
Move the active row up one row. Alt + Up arrow Option + Up arrow
Remove the search criteria from the cursor to the end of the row. Alt + Delete Control + K
Remove the search criteria from the cursor to the start of the row. Alt + Backspace Command + Delete
Remove the word or space to the right of the cursor. Ctrl + Delete Alt + Delete
Remove the word or space to the left of the cursor. Ctrl + Backspace Option + Delete
PREVIOUS
Help building searches
  NEXT
Search actions

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6


Comments

Hello Woodcock
The Release Notes mention these new features under the heading "Enhanced search assistance". I have added links from the Release Notes to this topic and also to the topic "Help building searches" .

Lstewart splunk, Splunker
October 7, 2016

This document should be linked to the 6.5 release notes which does not mention most (any) of this stuff (but should).

Woodcock
October 5, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters