Search for errors using Splunk Light
This topic includes examples of basic searches using keywords, phrases, booleans, fields, wildcards and comparison operators. These searches describe the events you want to retrieve from your Splunk Light indexes.
Search for different types of errors or failures.
Use keywords and phrases
1. If you want to find events with "error", start by typing in the keyword.
2. To make the searches more efficient, use as many keywords as possible to describe the event. For example, to find specific errors described by a phrase, use the entire phrase.
Use fields and wildcards
Fields are name and value pairs in your events. All events have the
_time fields. To search for specific field values, use the field name and field value.
You can use the asterisk wildcard with search keywords, field names, and field values to match patterns in events.
1. Search Apache web access logs for 404 status errors.
2. Find all client and server errors.
status=40* OR status=50*
This matches status values of 400, 401, 402, and so on, and 500, 501, 502, and so on.
Use boolean and comparison operators
||The operators must be written in uppercase. The AND operator is implied between search terms. You can group terms together using parentheses. When you have parentheses, the boolean expressions are evaluated inside the parentheses first. When using boolean expressions, searching for inclusion yields faster results than searching for exclusions.|
||The operators can be used to match field values for numbers and strings.|
1. Find all client or server errors with a delay greater than 10 seconds.
status >= 40* delay > 10
2. Search for invalid user login attempts.
"invalid user" OR "failed password" OR "not allowed"
3. Search for only 404 or 503 status errors.
status=404 OR status=503
About Splunk Light Search and Reporting Examples and Scenarios
Calculate and chart statistics using Splunk Light
This documentation applies to the following versions of Splunk® Light (Legacy): 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6