Search command primer
At the beginning of a search pipeline, the
search command is implied, even though you do not explicitly specify it. If you type in
It is as if you typed in
Use keywords, phrases, fields, boolean expressions, and comparison expressions to specify exactly which events you want to retrieve from Splunk indexes.
For specific information see:
- Boolean expressions
- Field expressions
- Difference between NOT and !=
- Use CASE and TERM to match phrases
- SPL and regular expressions
Keywords and phrases
By default, when you search with keywords and phrases, Splunk software retrieves events by matching against the raw event field,
_raw, in your data. When you start adding search modifiers, such as fields like
tag, you are also matching against pieces of information that have been extracted from the
When searching for strings, which includes keywords and quoted phrases (or anything that's not a search modifier), Splunk software searches the
_raw field for the matching events or results. Some examples of keywords and phrases are:
Note that the search for the quoted phrase "web error" is not the same as the search before it. When you search for
web error, Splunk software returns events that contain both "web" and "error". When you search for "web error", Splunk software only returns events that contain the phrase "web error".
To search for a file path, such as
D:\Digital\RTFM, you can just specify the file path in your search. You don't need quotation marks around the phrase and you don't need to escape any characters. The reason for this? Because the phrase contains only minor breakers, like a colon ( : ) and a backslash ( \ ).
However, if the file path contains spaces you must enclose it in quotation marks. For example:
"D:\Digital\RTFM Backup Folder"
A space is considered a major breaker in data. To learn more about major and minor breakers, see Event segmentation and searching.
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103