Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Use CASE() and TERM() to match phrases

If you want to search for a specific term or phrase in your Splunk index, use the CASE() or TERM() directives to do an exact match of the entire term.

  • CASE: Search for case-sensitive matches for terms and field values.
  • TERM: Match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor segmenters, such as periods or underscores.


When you search for a term that contains minor segmenters, it is treated by default as a phrase: It searches for the conjunction of the subterms (the terms between minor breaks) and post-filters the results. For example, when you search for the IP address 127.0.0.1, Splunk software searches for: 127 AND 0 AND 1

This search is not very efficient if the conjunction of these subterms is common, even if the whole term itself is not common.

If you search for TERM(127.0.0.1), Splunk software treats the IP address as a single term to match in your raw data.

TERM is more useful for cases where the term contains minor segmenters and is bounded by major segmenters, such as spaces or commas. In fact, TERM does not work for terms that are not bounded by major breakers. This is illustrated in the examples below.

For more information about how Splunk software breaks events up into searchable segments, read About segmentation in Getting Data In.

Examples

TERM(127.0.0.1) works for raw data that looks like:

127.0.0.1 - admin

However, it fails for data that looks like:

ip=127.0.0.1 - user=admin

This is because "=" is a minor breaker and the IP address portion of the event is indexed as: ip, 127, 0, 1, ip=127.0.0.1

If your data looks like this:

ip 127.0.0.1 - user admin

TERM(user admin) fails to return results. The space is a major breaker and the phrase "user admin" is not indexed as a single term.

PREVIOUS
Difference between NOT and !=
  NEXT
SPL and regular expressions

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters