Splunk® Enterprise

Search Reference

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF



Use the search command to retrieve events from indexes or filter the results of a previous search command in the pipeline. You can retrieve events from your indexes, using keywords, quoted phrases, wildcards, and key/value expressions. The search command is implied at the beginning of any search. You do not need to specify the search command at the beginning of your search criteria.

When the search command is not the first command in the pipeline, the search command is used to filter the results of the previous command and is referred to as a subsearch. See about subsearches in the Search Manual.

After you retrieve events, you can apply commands to transform, filter, and report on the events. Use the vertical bar "|" , or pipe character, to apply a command to the retrieved events.


search <logical-expression>

Required arguments

Syntax: <logical-expression> | <time-opts> | <search-modifier> | NOT <logical-expression> | <index-expression> | <comparison-expression> | <logical-expression> [OR] <logical-expression>
Description: Includes all keywords or key/value pairs used to describe the events to retrieve from the index. Include parenthesis as necessary. Use Boolean expressions, comparison operators, time modifiers, search modifiers, or combinations of expressions for this argument.

Logical expression options

Syntax: <field><comparison-operator><value>
Description: Compare a field to a literal value.
Syntax: "<string>" | <term> | <search-modifier>
Description: Describe the events you want to retrieve from the index using literal strings and search modifiers.
Syntax: [<timeformat>] (<time-modifier>)*
Description: Describe the format of the starttime and endtime terms of the search

Comparison expression options

Syntax: = |  != | < | <= | > | >=
Description: You can use comparison operators when searching field/value pairs. Comparison expressions with the equal ( = ) or not equal ( != ) operator compare string values. For example, "1" does not match "1.0". Comparison expressions with greater than or less than operators < > <= >= numerically compare two numbers and lexicographically compare other values. See Usage.
Syntax: <string>
Description: The name of a field.
Syntax: <literal-value>
Description: In comparison-expressions, the literal number or string value of a field.

Index expression options

Syntax: "<string>"
Description: Specify keywords or quoted phrases to match. When searching for strings and quoted strings (anything that's not a search modifier), Splunk software searches the _raw field for the matching events or results.
Syntax: <sourcetype-specifier> | <host-specifier> | <hosttag-specifier> | <source-specifier> | <savedsplunk-specifier> | <eventtype-specifier> | <eventtypetag-specifier> | <splunk_server-specifier>
Description: Search for events from specified fields or field tags. For example, search for one or a combination of hosts, sources, source types, saved searches, and event types. Also, search for the field tag, with the format: tag::<field>=<string>.

Syntax: host=<string>
Description: Search for events from the specified host field.
Syntax: hosttag=<string>
Description: Search for events that have hosts that are tagged by the string.
Syntax: eventtype=<string>
Description: Search for events that match the specified event type.
Syntax: eventtypetag=<string>
Description: Search for events that would match all eventtypes tagged by the string.
Syntax: savedsearch=<string> | savedsplunk=<string>
Description: Search for events that would be found by the specified saved search.
Syntax: source=<string>
Description: Search for events from the specified source field.
Syntax: splunk_server=<string>
Description: Search for events from a specific server. Use "local" to refer to the search head.

Time options

For a list of time modifiers, see Time modifiers for search

Syntax: timeformat=<string>
Description: Set the time format for starttime and endtime terms.
Default: timeformat=%m/%d/%Y:%H:%M:%S.
Syntax: starttime=<string> | endtime=<string> | earliest=<time_modifier> | latest=<time_modifier>
Description: Specify start and end times using relative or absolute time.

Note: You can also use the earliest and latest attributes to specify absolute and relative time ranges for your search. Read more about this time modifier syntax in About search time ranges in the Search Manual.

Syntax: starttime=<string>
Description: Events must be later or equal to this time. Must match timeformat.
Syntax: endtime=<string>
Description: All events must be earlier or equal to this time.


The search command is a generating command that enables you to use keywords, phrases, fields, boolean expressions, and comparison expressions to specify exactly which events you want to retrieve from Splunk indexes.

Some examples of search terms are:

  • keywords: error login
  • quoted phrases: "database error"
  • boolean operators: login NOT (error OR fail)
  • wildcards: fail*
  • field values: status=404, status!=404, or status>200

See Use the search command in the Search Manual.

Comparing two fields

To compare two fields, do not specify index=myindex fieldA=fieldB or index=myindex fieldA!=fieldB with the search command. When specifying a comparison_expression, the search command expects a <field> compared with a <value>. The search command interprets fieldB as the value, and not as the name of a field.

Use the where command instead.

index=myindex | where fieldA=fieldB

For not equal comparisons, you can specify the criteria in several ways.

index=myindex | where fieldA!=fieldB


index=myindex | where NOT fieldA=fieldB

See Difference between NOT and != in the Search Manual.

Lexicographical order

Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.

  • Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
  • Uppercase letters are sorted before lowercase letters.
  • Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.

Quotes and escaping characters

In general, you need quotation marks around phrases and field values that include white spaces, commas, pipes, quotations, and brackets. Quotation marks must be balanced. An opening quotation must be followed by an unescaped closing quotation. For example:

  • A search such as error | stats count will find the number of events containing the string error.
  • A search such as ... | search "error | stats count" would return the raw events containing error, a pipe, stats, and count, in that order.

Additionally, you want to use quotation marks around keywords and phrases if you do not want to search for their default meaning, such as Boolean operators and field/value pairs. For example:

  • A search for the keyword AND without meaning the Boolean operator: error "AND"
  • A search for this field/value phrase: error "startswith=foo"

The backslash character (\) is used to escape quotes, pipes, and itself. Backslash escape sequences are still expanded inside quotation marks. For example:

  • The sequence \| as part of a search will send a pipe character to the command, instead of having the pipe split between commands.
  • The sequence \" will send a literal quotation mark to the command, for example for searching for a literal quotation mark or inserting a literal quotation mark into a field using rex.
  • The \\ sequence will be available as a literal backslash in the command.

Unrecognized backslash sequences are not altered:

  • For example \s in a search string will be available as \s to the command, because \s is not a known escape sequence.
  • However, in the search string \\s will be available as \s to the command, because \\ is a known escape sequence that is converted to \.

Search with TERM()

You can use the TERM() directive to force Splunk software to match whatever is inside the parentheses as a single term in the index. TERM is more useful for cases where the term contains minor segmenters, such as periods and commas, and is bounded by major segmenters, such as spaces or commas. In fact, TERM does not work for terms that are not bounded by major breakers.

Search with CASE()

You can use the CASE() directive to search for terms and field values that are case-sensitive.


These examples demonstrate how to use the search command. You can find more examples in the Start Searching topic of the Search Tutorial.

Example 1: This example demonstrates key/value pair matching for specific values of source IP (src) and destination IP (dst).

src="10.9.165.*" OR dst=""

Example 2: This example demonstrates key/value pair matching with boolean and comparison operators. Search for events with code values of either 10 or 29, any host that isn't "localhost", and an xqp value that is greater than 5.

(code=10 OR code=29) host!="localhost" xqp>5

Example 3: This example demonstrates key/value pair matching with wildcards. Search for events from all the webservers that have an HTTP client or server error status.

host=webserver* (status=4* OR status=5*)

Example 4: This example uses search later in the pipeline to filter out search results. This search defines a web session using the transaction command and searches for the user sessions that contain more than three events.

eventtype=web-traffic | transaction clientip startswith="login" endswith="logout" | search eventcount>3

Example 5: Searching with the boolean "NOT"comparison operator is not the same as using the "!=" comparison. The following search returns returns everything except fieldA="value2", including all other fields.

NOT fieldA="value2"

The following search returns events where fieldA exists and does not have the value "value2".


If you use a wildcard for the value, NOT fieldA=* returns events where fieldA is null or undefined, and fieldA!=* never returns any events.

See Difference between NOT and != in the Search Manual.


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the search command.

Last modified on 19 April, 2017

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters