Splunk® Cloud Services

SPL2 Search Manual

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Search literals in expressions

A search literal is a predicate that you can use wherever an <expression> is used. Search literals simplify and streamline your search syntax.

Search literals must be enclosed in backtick characters ( ` ).

Using search literals with commands

One common use for search literals is in the WHERE clause of the from command.

The following search looks in the main index for events that contains the terms 500 and ERROR.

|FROM main WHERE `500 ERROR`

Simplifying your searches

Using search literals can simplify your search syntax.

Consider the following search:

|FROM main WHERE sourcetype="secure" |search "invalid user" AND "sshd[5258]" |fields _time, source

You can simplify the syntax by using a search literal. An AND condition is implied between the values specified in the search literal:

|FROM main WHERE sourcetype="secure" AND `invalid user sshd[5258]` |fields _time, source

Using this search literal is the same as specifying AND conditions in the WHERE clause:

|FROM main WHERE sourcetype="secure" AND `invalid` AND `user` AND `sshd[5258]` |fields _time, source

Using search literals with functions

You can use search literals in any function that accepts a predicate or conditional expression.

The following search counts the occurrences of the value 500 in your events. The results are organized by the host field:

... | stats count(`500`) by host

This is the same as this search:

... | search 500 | stats count() by host

The search in the following example creates a field called error_type and uses the if function to specify a condition to determine the value to place in the error_type field.

... | eval error_type = if(`error=4*`, "user", "server")

If the value in the error field begins with 4, the string user is placed in the error_type field. Otherwise the string server is placed in the error_type field.

See also

Related information
Predicate expressions
Last modified on 02 December, 2020
Predicate expressions
Array and object access expressions

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters