Splunk® Cloud Services

SPL2 Search Manual

Search literals in expressions

A search literal is a predicate that you can use wherever an <expression> is used. Search literals simplify and streamline your search syntax.

Search literals must be enclosed in backtick characters ( ` ).

Using search literals instead of the search command

Search literals enable you to perform SQL-like searches using a predicate expression that is similar to using predicate expressions with the search command.

The following table shows how the same predicate expression is used with the search command and the fromcommand:

Description Example
Search command 
search index=main 500
From command with the searchmatch function 
FROM main WHERE searchmatch("500")
From command with a search literal 
FROM main WHERE `500`

Search literals with commands

One common use for search literals is in the WHERE clause of the from command. You can also use search literals with the where command.

The following search looks in the main index for events that contains the terms 500 and ERROR.

|FROM main WHERE `500 ERROR`

Simplifying your searches

Using search literals can simplify your search syntax.

Consider the following search:

|FROM main WHERE sourcetype="secure" |search "invalid user" AND "sshd[5258]" |fields _time, source

You can simplify the syntax by using a search literal. An AND condition is implied between the values specified in the search literal:

|FROM main WHERE sourcetype="secure" AND `invalid user sshd[5258]` |fields _time, source

Using this search literal is the same as specifying AND conditions in the WHERE clause:

|FROM main WHERE sourcetype="secure" AND `invalid` AND `user` AND `sshd[5258]` |fields _time, source

Using search literals with functions

You can use search literals in any function that accepts a predicate or conditional expression.

The following search counts the occurrences of the value 500 in your events. The results are organized by the host field:

... | stats count(`500`) by host

This is the same as this search:

... | search 500 | stats count() by host


The search in the following example creates a field called error_type and uses the if function to specify a condition to determine the value to place in the error_type field.

... | eval error_type = if(`error=4*`, "user", "server")

If the value in the error field begins with 4, the string user is placed in the error_type field. Otherwise the string server is placed in the error_type field.

Use search literals to include SPL commands in SPL2 searches

If the SPL command is not supported in the SPL compatibility library, use a search literal to include the SPL command in your SPL2 searches.

For example, the top command returns the top X values for a specific field. The top command also returns two additional fields with information about the count and percent of the values within the dataset.

The SPL top command is not supported in SPL2 or in the SPL compatibility library. However, you can still use the SPL top command in your SPL2 search using a search literal.

$search = from sample_events where host="www3" | `top limit=20 referer`

See also

Related information
Types of expressions
Predicate expressions
Last modified on 13 April, 2023
Predicate expressions   Array and object literals in expressions

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters