search command overview
search command to retrieve events from one or more index datasets, or to filter search results that are already in memory.
You can retrieve events from your datasets using keywords, quoted phrases, wildcards, and field-value expressions. When the
search command is not the first command in the pipeline, it is used to filter the results of the previous command.
The required syntax is in bold.
- search <search-expression>
How the search command works
You specify a search expression, such as a keyword or a field-value pair, when you use the
Keyword searches are searches for literal values, terms or phrases, that appear in your events.
search command to perform keyword searches against events in your indexes, similar to searching the internet using a web browser. For example, you can search for a literal value such as
Keyword searches are not case sensitive. The following search returns any event that contains the term
itemId, including all variations of the capitalization of that term, such as
| search itemId
To search for a phrase, enclose the phrase in double quotations. For example, this search returns only those events where the term
Windows is immediately followed by a space and the number
| search "Windows 10"
You also use double quotations for terms that contain punctuation, for example:
| search "SC-MG-G10"
Search using field-value pairs
When you are looking for a specific value in a field, identify the field in your search using a field-value pair.
The field name is case sensitive, the field value is not case sensitive.
For example, to search the
categoryId field for the value
sports, use this search:
| search categoryId=sports
Searching for multiple keywords
When you specify multiple terms to search for, there is an implied AND operator between each term. In the following example, the search looks only for events where the term
www2 exists and the
categoryId field contains
| search www2 categoryId=sports
This is the same as if you explicitly included the AND operator in your search, such as:
| search www2 AND categoryId=sports
search command, along with the
from command, is one of the most powerful commands in SPL2.
There are a wide variety of search expressions that you can specify with the
search command. To learn more about how you can use the
search command, see search command syntax details and search command usage for examples of common search expressions.
For a complete description of the types of expressions that you can use in SPL2, see Types of expressions in the SPL2 Search Manual.
rex command examples
search command syntax details
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!