Splunk® Enterprise

Search Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Search command primer

At the beginning of a search pipeline, the search command is implied, even though you do not explicitly specify it. If you type in

host=webserver*

It is as if you typed in

search host=webserver*

Use keywords, phrases, fields, boolean expressions, and comparison expressions to specify exactly which events you want to retrieve from Splunk indexes.

For specific information see:

Keywords and phrases

By default, when you search with keywords and phrases, Splunk software retrieves events by matching against the raw event field, _raw, in your data. When you start adding search modifiers, such as fields like _time and tag, you are also matching against pieces of information that have been extracted from the _raw field.

When searching for strings, which includes keywords and quoted phrases (or anything that's not a search modifier), Splunk software searches the _raw field for the matching events or results. Some examples of keywords and phrases are:

web

error

web error

"web error"

Note that the search for the quoted phrase "web error" is not the same as the search before it. When you search for web error, Splunk software returns events that contain both "web" and "error". When you search for "web error", Splunk software only returns events that contain the phrase "web error".

File paths

To search for a file path, such as D:\Digital\RTFM, you must escape the backslash characters in the path, for example D:\\Digital\\RTFM.

If the file path contains spaces you must enclose the path in quotation marks. For example:

"D:\\Digital\\RTFM Backup Folder"

A space is considered a major breaker in data. To learn more about major and minor breakers, see Event segmentation and searching.

See Also

Last modified on 03 October, 2023
Search history   Wildcards

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters