Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Welcome to the Search Reference

This manual is a reference guide for the Search Processing Language (SPL). In this manual you will find a catalog of the search commands with complete syntax, descriptions, and examples. Additionally, this manual includes quick reference information about the categories of commands, the functions you can use with commands, and how SPL relates to SQL.

Getting Started

If you are new to Splunk Enterprise and search, start with the Search Tutorial. This tutorial introduces you to the Search and Reporting application. The tutorial guides you through adding data to Splunk Enterprise, searching your data, and building simple reports and dashboards.

Before you can start using search on your own Splunk Enterprise instance:

Search Manual

The Search Manual contains detailed information about creating and optimizing searches.

  • Types of searches
  • Retrieving events
  • Specifying time ranges
  • Using subsearches
  • Creating statistical tables and charts
  • Grouping and correlating events
  • Predicting future events

Quick Reference Information

The Splunk Enterprise Quick Reference Guide contains:

  • Explanations about Splunk Enterprise features
  • Common search commands
  • Tips on optimizing searches
  • Functions for the eval and stats commands
  • Search examples
  • Regular expressions
  • Formats for converting strings into timestamps


The search commands by category topic organizes the commands by the type of action that the command performs.

For example, commands in the reporting category, are used to build transforming searches. Reporting commands return statistical data tables that are required for charts and other kinds of data visualizations.

This topic contains a brief description of each command along with a link to the details about the command in the Command Reference section of this manual.

Before you continue, read Understanding SPL syntax for the conventions and rules used in this manual.

Last modified on 02 May, 2016
  NEXT
Understanding SPL syntax

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.13, 6.2.14, 6.2.15

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters