Searching in Splunk
The first time you use Splunk, you'll probably start by just searching the raw data to investigate problems — whether it's an application error, network performance problem, or security alert. Searching in Splunk is free form -- you can use familiar Boolean operators, wildcards and quoted strings to construct your searches. Type in keywords, such as a username, an IP address, a particular message... You're never limited to a few predetermined fields and you don't need to confront a complicated query builder, learn a query language, or know what field to search on. You can search by time, host and source.
This topic discusses how to start searching in Splunk Web from the Search app and by typing into the search bar. The following examples use Web access logs that contain the following information: IP addresses, browser versions, Web request protocols, HTTP status codes, website URLs, etc. Each of these examples stand alone; however, you can read the "Start searching tutorial" and "Use fields to search tutorial" for a more complete example.
Check the Search Reference Manual if you're looking for a reference for the commands in the Splunk search language or the Search command cheatsheet.
Go to the Search app
After logging into Splunk, you will see either the Welcome view or Splunk Home view.
- If you're in the Welcome view, select Launch search app.
- If you're in Splunk Home, select Search.
- If you are in another app, select the Search app from the App menu, which is located in the upper right corner of the window.
This takes you to the Summary dashboard of the Search app. For more information about what you will find in the Search App, read the Search App tutorial before you continue.
Start with simple terms
To begin your Splunk search, type in terms you might expect to find in your event data. For example, if you want to find events that might be HTTP 404 errors, type in the keywords:
Your search results are all events that have both HTTP and 404 in the raw text; this may or may not be exactly what you want to find. For example, your search results will include events that have website URLs, which begin with "http://", and any instance of "404", including a string of characters like "ab/404".
You can narrow the search by adding more keywords:
http 404 "not found"
Enclosing keywords in quotes tells Splunk to search for literal, or exact, matches. If you search for "not" and "found" as separate keywords, Splunk returns events that have both keywords, though not necessarily the phrase "not found".
You can also use Boolean expressions to narrow your search further.
Add Boolean expressions
Splunk supports the Boolean operators:
NOT; the operators have to be capitalized. You can use parentheses to group Boolean expressions. For example, if you wanted all events for HTTP client errors not including 404 or 403, search with:
http client error NOT (403 OR 404)
In a Splunk search, the AND operator is implied; the previous search is the same as:
http AND client AND error AND NOT (403 OR 404)
This search returns all events that have the terms "HTTP", "client", and "error" and do not have the terms "403" or "404". Once again, the results may or may not be exactly what you want to find. Just as the earlier search for
http 404 may include events you don't want, this search may both include events you don't want and exclude events you want.
Note: Splunk evaluates Boolean expressions in the following order: first, expressions within parentheses; then,
OR clauses; finally,
Search with wildcards
Splunk supports the asterisk (
*) wildcard for searching. Searching for
* by itself means "match all" and returns all events up to the maximum limit. Searching for
* as part of a word matches based on that word.
The simplest beginning search is the search for
*. Because this searches your entire index and returns an unlimited number of events, it's also not an efficient search. We recommend that you begin with a more specific search on your index.
If you wanted to see only events that matched HTTP client and server errors, you might search for:
http error (4* OR 5*)
This indicates to Splunk that you want events that have "HTTP" and "error" and 4xx and 5xx classes of HTTP status codes. Once again, though, this will result in many events that you may not want. For more specific searches, you can extract information and save them as fields.
Search with fields
When you index data, Splunk automatically adds fields to your event data for you. You can use these fields to search, edit the fields to make them more useful, extract additional knowledge and save them as custom fields. For more information about fields and how to use, edit, and add fields, read the "Capture Knowledge" chapter in this manual.
Splunk lists fields that it has extracted in the Field Picker to the left of your search results in Splunk Web. Click a field name to see information about that field, add it to your search results, or filter your search to display only results that contain that field. When you filter your search with a field from the Field Picker, Splunk edits the search bar to include the selected field.
Alternately, you can type the field name and value directly into your search bar. A field name and value pair can be expressed in two ways:
Note: Field names are case sensitive.
Let's assume that the event type for your Web access logs is
eventtype=webaccess and you saved a field called
status for the HTTP status codes in your event data. Now, if you wanted to search for HTTP 404 errors, you can restrict your search to the specific
Use wildcards to match multiple field values
If you're interested in seeing multiple values for the
status field, you can use wildcards. For example, to search for Web access events that are HTTP client errors (4xx) or HTTP server errors (5xx), type:
eventtype=webaccess status=4* OR status=5*
Use comparison operators to match field values
You can use comparison operators to match a specific value or a range of field values. Comparison operators only when when searching with field/value pairs.
- Comparison expressions with = and != work with all field/value pairs, including multivalued fields.
- Comparison expressions with <, <=, >, and >= work only with fields that have numeric values.
|=||field=foo||Field values that exactly match "foo".|
|!=||field!=foo||Field values that don't exactly match "foo".|
|<||field<x||Numerical field values that are less than x.|
|>||field>x||Numerical field values that are greater than x.|
|<=||field<=x||Numerical field values that are less than and equal to x.|
|>=||field>=x||Numerical field values that are greater than and equal to x.|
This example searches for a range of client and server errors from 400 to 503, inclusive.
eventtype=webaccess status>400 OR status<=503
This example searches for all web access events, counts them, and then only returns the errors that have a count greater than 10.
eventtype=webaccess | stats count by host, status | search count > 10
Match phrases with the TERM() directive
When searching for phrases in your events, you can also use the TERM() directive. TERM forces Splunk to match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as breaks or delimiters (such as underscores and spaces).
If you searched for the quoted phrase "error_type", Splunk ends up searching for "error" and "type" and post filtering the results. This would also include events that contained "error_type" as segments of other keywords or phrases, for example "error_type.default" or "this_error_type". If you use TERM(error_type), you force Splunk to exclude these other keywords.
This example searches for a specific IP address:
TERM(srcip=192.168.12.34) OR srcip=TERM(*192.168.12.34)
Use search actions
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7