Splunk® Light (Legacy)

Search and Reporting Examples

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Search for errors using Splunk Light

This topic includes examples of basic searches using keywords, phrases, booleans, fields, wildcards and comparison operators. These searches describe the events you want to retrieve from your Splunk Light indexes.


Search for different types of errors or failures.

Use keywords and phrases

1. If you want to find events with "error", start by typing in the keyword.


2. To make the searches more efficient, use as many keywords as possible to describe the event. For example, to find specific errors described by a phrase, use the entire phrase.

"sshd error"

"login failed"

"failed password"

"access denied"

Use fields and wildcards

Fields are name and value pairs in your events. All events have the source, host, sourcetype, _raw, and _time fields. To search for specific field values, use the field name and field value.

You can use the asterisk wildcard with search keywords, field names, and field values to match patterns in events.

1. Search Apache web access logs for 404 status errors.

sourcetype=access_combined status=404

2. Find all client and server errors.

status=40* OR status=50*

This matches status values of 400, 401, 402, and so on, and 500, 501, 502, and so on.

Use boolean and comparison operators

Type Operators Description
Boolean AND, OR, NOT The operators must be written in uppercase. The AND operator is implied between search terms. You can group terms together using parentheses. When you have parentheses, the boolean expressions are evaluated inside the parentheses first. When using boolean expressions, searching for inclusion yields faster results than searching for exclusions.
Comparison < > <= >= != = == The operators can be used to match field values for numbers and strings.

1. Find all client or server errors with a delay greater than 10 seconds.

status >= 40* delay > 10

2. Search for invalid user login attempts.

"invalid user" OR "failed password" OR "not allowed"

3. Search for only 404 or 503 status errors.

status=404 OR status=503

Last modified on 26 September, 2016
About Splunk Light Search and Reporting Examples and Scenarios
Calculate and chart statistics using Splunk Light

This documentation applies to the following versions of Splunk® Light (Legacy): 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.1612 (cloud service only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters