Splunk® Enterprise

Search Manual

Acrobat logo Download manual as PDF

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Use CASE() and TERM() to match phrases

If you want to search for a specific term or phrase in your Splunk index, use the CASE() or TERM() directives to do an exact match of the entire term.

  • CASE: Search for case-sensitive matches for terms and field values.
  • TERM: Match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor segmenters, such as periods or underscores.

When you search for a term that contains minor segmenters, the term is treated by default as a phrase. The Splunk software searches for the conjunction of the subterms (the terms between minor breakers) and post-filters the results. For example, when you search for the IP address, Splunk software searches for: 127 AND 0 AND 1

This search is not very efficient if the conjunction of these subterms is common, even if the whole term itself is not common.

When to use TERM

The TERM directive is useful when you are searching for a term:

  • That contains minor breakers, but does not contain major breakers
  • Is bound by major breakers, such as spaces or commas

For example, the IP address contains the period ( . ) minor breaker. If you specify TERM(, the Splunk software treats the IP address as a single term, instead of individual numbers.

The TERM directive only works for terms that are bounded by major or minor breakers. The term you are searching for cannot contain major breakers. For example, you cannot search for Maria Dubois with TERM because there is a space between the names. This is illustrated in the examples below.

When you use the TERM directive, the Splunk software expects to see the term you specify as a token in the lexicon in the .tsidx file. For more information about how Splunk software breaks events up into searchable segments, see About segmentation in Getting Data In.

See Use the TERM directive to match terms that contain minor breakers.


Searching for TERM( works for raw data that looks like this: - admin

Both and admin are bounded by major breakers, in this case spaces.

However, searching for TERM( fails for data that looks like this:

ip= - user=admin

This is because the equal symbol ( = ) is a minor breaker, not a major breaker. Additionally, the IP address portion of the event is indexed as: ip, 127, 0, 1, and ip= You are looking for, which is not an indexed term.

If your data looks like this:

ip - user admin

Searching for TERM(user admin) fails to return results. The space is a major breaker and the phrase "user admin" is not indexed as a single term. In this situation, use quotation marks to search for a string that contains a space, for example "user admin".

See also

Related information
Event segmentation and searching
.conf talks
Mastering Search Speed
Last modified on 20 October, 2022
Event segmentation and searching
SPL and regular expressions

This documentation applies to the following versions of Splunk® Enterprise: 6.5.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.8, 8.0.0, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 9.0.0, 9.0.1, 9.0.2, 7.3.7, 7.3.9, 8.0.1, 8.0.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters