Start searching
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9
Contents
Start searching
This topic and the ones following it serve as a tutorial for learning how to use Splunk's powerful search tools. Check the Search Reference Manual if you're looking for a reference for the commands in the Splunk search language or the Search command cheatsheet.
The first time you use Splunk, you'll probably start by just searching the raw data to investigate problems — whether it's an application error, network performance problem, or security alert. Searching in Splunk is free form -- you can use familiar Boolean operators, wildcards and quoted strings to construct your searches. Type in keywords, such as a username, an IP address, a particular message... You're never limited to a few predetermined fields and you don't need to confront a complicated query builder, learn a query language, or know what field to search on. You can search by time, host and source.
Note: The following examples use Web access logs that contain the following information: IP addresses, browser versions, Web request protocols, HTTP status codes, website URLs, etc.
Go to the Search app
After logging into Splunk, if you are in the Launcher app, select the Search app from the list of Your Installed Apps. If you are in another app, select the Search app from the App drop-down menu, which is located in the upper right corner of the window.
Start with simple terms
To begin your Splunk search, type in terms you might expect to find in your event data. For example, if you want to find events that might be HTTP 404 errors, type in the keywords:
http 404
Your search results are all events that have both HTTP and 404 in the raw text; this may or may not be exactly what you want to find. For example, your search results will include events that have website URLs, which begin with "http://", and any instance of "404", including a string of characters like "ab/404".
You can narrow the search by adding more keywords:
http 404 "not found"Enclosing keywords in quotes tells Splunk to search for literal, or exact, matches. If you search for "not" and "found" as separate keywords, Splunk returns events that have both keywords, though not necessarily the phrase "not found".
You can also use Boolean expressions to narrow your search further.
Add Boolean expressions
Splunk supports the Boolean operators: AND, OR, and NOT; the operators have to be capitalized. You can use parentheses to group Boolean expressions. For example, if you wanted all events for HTTP client errors not including 404 or 403, search with:
http client error NOT (403 OR 404)In a Splunk search, the AND operator is implied; the previous search is the same as:
http AND client AND error NOT (403 OR 404)This search returns all events that have the terms "HTTP", "client", and "error" and do not have the terms "403" or "404". Once again, the results may or may not be exactly what you want to find. Just as the earlier search for http 404 may include events you don't want, this search may both include events you don't want and exclude events you want.
Note: Splunk evaluates Boolean expressions in the following order: first, expressions within parentheses; then, OR clauses; finally, AND or NOT clauses.
Search with wildcards
Splunk supports the asterisk (*) wildcard for searching. Searching for * by itself means "match all" and returns all events up to the maximum limit. Searching for * as part of a word matches based on that word.
The simplest beginning search is the search for *. Because this searches your entire index and returns an unlimited number of events, it's also not an efficient search. We recommend that you begin with a more specific search on your index.
If you wanted to see only events that matched HTTP client and server errors, you might search for:
http error (40* OR 50*)This indicates to Splunk that you want events that have "HTTP" and "error" and 4xx and 5xx classes of HTTP status codes. Once again, though, this will result in many events that you may not want. For more specific searches, you can extract information and save them as fields.
Search with fields
When you index data, Splunk automatically adds fields to your event data for you. You can use these fields to search, edit the fields to make them more useful, extract additional knowledge and save them as custom fields. For more information about fields and how to use, edit, and add fields, read the "Capture Knowledge" chapter in this manual.
Splunk lists all extracted fields in the Fields menu next to your search results in Splunk Web. You can add fields to your search by selecting them from this "Fields picker". When you filter your search with a field from the Fields picker, Splunk edits your search bar to include the selected field.
Alternately, you can type the field name and value directly into your search bar. A field name and value pair can be expressed in two ways: fieldname="fieldvalue" or fieldname=fieldvalue.
Note: Field names are case sensitive.
Let's assume that the event type for your Web access logs is eventtype=webaccess and you saved a field called status for the HTTP status codes in your event data. Now, if you wanted to search for HTTP errors, you can restrict your search to the specific sourcetype:
eventtype=webaccess errorUse wildcards to match multiple field values
Because you're now searching specific events, this narrows your search significantly. But still, because this searches for a string "error" that may exist anywhere in your data, this may return events that you don't want. Instead, you can be more exact and search for Web access events that are HTTP client errors (4xx) or HTTP server errors (5xx):
eventtype=webaccess status=40* OR status=50*Use comparison operators to match field values
You can use comparison operators to match a specific value or a range of field values.
| Operator | Example | Result |
|---|---|---|
| = | field=foo | Field values that exactly match "foo". |
| != | field!=foo | Field values that don't exactly match "foo". |
| < | field<x | Numerical field values that are less than x. |
| > | field>x | Numerical field values that are greater than x. |
| <= | field<=x | Numerical field values that are less than and equal to x. |
| >= | field>=x | Numerical field values that are greater than and equal to x. |
Note: You can only use <, >, <=, and >= with numerical field values, and you can only use = and != with multi-valued fields.
Use tags to group field values
You can also use tags to group similar field values and search for fields based on these tags. For more information about tags, how to add them to field values, and examples of how to search for tagged field values, read "Tag and alias field values" in this manual.