Use CASE() and TERM() to match phrases
If you want to search for a specific term or phrase in your Splunk index, use the CASE() or TERM() directives to do an exact match of the entire term.
- CASE: Search for case-sensitive matches for terms and field values.
- TERM: Match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor segmenters, such as periods or underscores.
When you search for a term that contains minor segmenters, it is treated by default as a phrase: It searches for the conjunction of the subterms (the terms between minor breaks) and post-filters the results. For example, when you search for the IP address 127.0.0.1, Splunk software searches for:
127 AND 0 AND 1
This search is not very efficient if the conjunction of these subterms is common, even if the whole term itself is not common.
If you search for TERM(127.0.0.1), Splunk software treats the IP address as a single term to match in your raw data.
TERM is more useful for cases where the term contains minor segmenters and is bounded by major segmenters, such as spaces or commas. In fact, TERM does not work for terms that are not bounded by major breakers. This is illustrated in the examples below.
For more information about how Splunk software breaks events up into searchable segments, read About segmentation in Getting Data In.
TERM(127.0.0.1) works for raw data that looks like:
127.0.0.1 - admin
However, it fails for data that looks like:
ip=127.0.0.1 - user=admin
This is because "=" is a minor breaker and the IP address portion of the event is indexed as: ip, 127, 0, 1, ip=127.0.0.1
If your data looks like this:
ip 127.0.0.1 - user admin
TERM(user admin) fails to return results. The space is a major breaker and the phrase "user admin" is not indexed as a single term.
Difference between NOT and !=
SPL and regular expressions
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3