Splunk Cloud Platform

Search Experience preview

This documentation does not apply to the most recent version of Splunk Cloud Platform. For documentation on the most recent version, go to the latest release.

Syntax highlighting

Color-coding makes the SPL2 commands, arguments, functions, and keywords easier to identify in the SPL2 Editor. This color-coding is called syntax highlighting.

The light theme and dark theme colors are similar for each search element. To change the color theme, see User customizations.

Light theme

The following table shows examples of the colors used for each search element on the light theme background:

Color Search element Examples
light gray Comments. Both block and line comments are supported. See Using comments in SPL2 in the SPL2 Search Manual. This image shows examples of block comments and line comments colored in light gray. Block comments start with a forward slash and an asterisk ( /* ) and end with an asterisk and a forward slash ( */ ). Line comments start with two forward slashes ( // ).
dark orange Identifiers, such as dataset names, field names, command argument names, and function names. This also includes quoted identifiers such as the 'http status' field. This image shows search examples where index names, like "main", and field names, like "buffer_size" are colored dark orange.
blue Command names and keywords such as AS, BY, FUNCTION, and TYPE. This includes the names of the clauses used with the select and from commands, such as WHERE and GROUP BY.


Logical operators such as AND and OR. Relational operators such as =, !=, <, and >. Conditional and pattern matching operators such as BETWEEN, LIKE, and IN.

This image shows search examples where command names, keywords, and logical operators are colored blue. For example, in the SPL "stats sum(bytes) BY host" the stats command and the BY keyword are colored blue. In the SPL "WHERE srcip BETWEEN "192.0.2.0" AND "192.0.2.255" " the WHERE command and the BETWEEN and AND operators are colored blue.
red Relative times including snap-to times such as -5m, +24h, -8days, @d7, -1d@d. See Specifying relative time in the SPL2 Search Manual This image shows search examples that include relative times. For example, in the SPL "WHERE earliest=-4d and latest=-1d@d", the -4d and -1d@d are colored red.
light brown Strings and numeric values such as integer, double, float, long. This image shows search examples where strings, which always appear in double quotation marks, are colored light brown. For example, in the SPL "WHERE scrip BETWEEN "192.0.2.0" AND "192.0.2.225" the IP addresses are colored light brown. Numbers also appear in light brown. For example, in the SPL "error NOT (403 OR 404)" the HTTP error codes are colored light brown.
black Delimiters such as pipe ( | ) characters, parenthesis ( ), commas, colons, square brackets { }, curly braces { }. This image shows search examples where the delimiters are colored black.
pink Parameter names, such as the names of search statements and function parameters. For example $search16 or the names of function parameters like $field and $precision. This image shows search examples where parameter names are colored pink. For example, in the SPL "$search16 = FROM main WHERE earliest=-4d" the name of the search "$search16" is colored pink.
red Data types such as string, number, and custom data types, like person. See Built-in data types in the SPL2 Search Reference. This image shows custom data types and custom function examples where the data types are colored red. For example, in the custom function "function mynum($x:number) {return $x}" the data type "number" is colored red.
dark grey Terms that are used with the search command, numbers that are interpreted as strings, and the default color for elements that don't fit into other categories. This image shows a search example where numbers that are interpreted as string are colored dark grey. For example, in the SPL "search status IN (401, 403)" the numbers 401 and 403 are colored bright white.

Dark theme

The following table shows examples of the colors used for each search element on the dark theme background:

Color Search element Examples
light gray Comments. Both block and line comments are supported. See Using comments in SPL2 in the SPL2 Search Manual. This image shows examples of block comments and line comments colored in light gray. Block comments start with a forward slash and an asterisk ( /* ) and end with an asterisk and a forward slash ( */ ). Line comments start with two forward slashes ( // ).
dark orange Identifiers, such as dataset names, field names, command argument names, and function names. This also includes quoted identifiers such as the 'http status' field. This image shows search examples where index names, like "main", and field names, like "buffer_size" are colored orange.
blue Command names and keywords such as AS, BY, FUNCTION, and TYPE. This includes the names of the clauses used with the select and from commands, such as WHERE and GROUP BY.


Logical operators such as AND and OR. Relational operators such as =, !=, <, and >. Conditional and pattern matching operators such as BETWEEN, LIKE, and IN.

This image shows search examples where command names, keywords, and logical operators are colored blue. For example, in the SPL "stats sum(bytes) BY host" the stats command and the BY keyword are colored blue. In the SPL "WHERE srcip BETWEEN "192.0.2.0" AND "192.0.2.255" " the WHERE command and the BETWEEN and AND operators are colored blue.
dark blue Relative times including snap-to times such as -5m, +24h, -8days, @d7, -1d@d. See Specifying relative time in the SPL2 Search Manual This image shows search examples that include relative times. For example, in the SPL "WHERE earliest=-4d and latest=-1d@d", the -4d and -1d@d are colored dark blue.
light brown Strings and numeric values such as integer, double, float, long. This image shows search examples where strings, which always appear in double quotation marks, are colored light brown. For example, in the SPL "WHERE scrip BETWEEN "192.0.2.0" AND "192.0.2.225" the IP addresses are colored light brown. Numbers also appear in light brown. For example, in the SPL "error NOT (403 OR 404)" the HTTP error codes are colored light brown.
white Delimiters such as pipe ( | ) characters, parenthesis ( ), commas, colons, square brackets { }, curly braces { }. This image shows search examples where the delimiters are colored white.
pink Parameter names, such as the names of search statements and function parameters. For example $search16 or the names of function parameters like $field and $precision. This image shows search examples where parameter names are colored pink. For example, in the SPL "$search16 = FROM main WHERE earliest=-4d" the name of the search "$search16" is colored pink.
red Data types such as string, number, and custom data types, like person. See Built-in data types in the SPL2 Search Reference. This image shows custom data types and custom function examples where the data types are colored red. For example, in the custom function "function mynum($x:number) {return $x}" the data type "number" is colored red.
bright white Terms that are used with the search command, numbers that are interpreted as strings, and the default color for elements that don't fit into other categories. This image shows a search example where numbers that are interpreted as string are colored bright white. For example, in the SPL "search status IN (401, 403)" the numbers 401 and 403 are colored bright white.

See also

Search experience
Search Experience overview
SPL2 documentation
Understanding SPL2 syntax in the SPL2 Search Reference
Last modified on 15 January, 2023
Keyboard shortcuts   User customizations

This documentation applies to the following versions of Splunk Cloud Platform: search2preview

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters