Welcome to the Search Reference
This manual is a reference guide for the Search Processing Language (SPL). In this manual you will find a catalog of the search commands with complete syntax, descriptions, and examples. Additionally, this manual includes quick reference information about the categories of commands, the functions you can use with commands, and how SPL relates to SQL.
Getting Started
If you are new to Splunk software and searching, start with the Search Tutorial. This tutorial introduces you to the Search & Reporting application. The tutorial guides you through uploading data to your Splunk deployment, searching your data, and building simple charts, reports, and dashboards.
After you complete the Search Tutorial, and before you start using Splunk software on your own data you should:
- Add data to your Splunk instance. See Getting Data In.
- Understand how indexing works and how data is processed. See Managing Indexers and Clusters of Indexers.
- Learn about fields and knowledge objects, such as hosts, source types, and event types. See the Knowledge Manager Manual.
Search Manual
The Search Manual is a companion manual to the Search Reference. The Search Manual contains detailed information about creating and optimizing searches.
- Types of searches
- Retrieving events
- Specifying time ranges
- Optimizing searches
- Using subsearches
- Creating statistical tables and charts
- Grouping and correlating events
- Predicting future events
- Managing jobs
Quick Reference Information
The Quick Reference Guide contains:
- Explanations about Splunk features
- Common search commands
- Tips on optimizing searches
- Functions for the
evalandstatscommands - Search examples
- Regular expressions
- Formats for converting strings into timestamps
SPL commands
The Search Processing Language (SPL) includes a wide range of commands.
There are two quick reference guides for the commands:
- The Command quick reference topic contains an alphabetical list of each command, along with a brief description of what the command does and a link to the specific documentation for the command.
- The Commands by category topic organizes the commands by the type of action that the command performs. This topic contains a brief description of what the command does and a link to the specific documentation for the command.
SQL users
If you're familiar with SQL, see Splunk SPL for SQL users to see how to use your SQL knowledge to learn SPL.
Command syntax
Before you continue, see Understanding SPL syntax for the conventions and rules used in this manual.
| Understanding SPL syntax |
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!