Search
Contents
Search
Searching is easy - type any term you'd expect to find in your data into the search box and click or press Enter. For example, to search for all events containing a given IP address, type it into the box. Try it with usernames, error codes, transaction IDs, or whatever else you are looking for.
You can use Boolean ORs and NOTs and combine them with parentheses. Use wildcards or quote marks to find phrases. Splunk also lets you search for fields like host, source and sourcetype. Use "fieldname::value" to search for fields.
host::web1 source::/var/log/httpd/access.log sourcetype::access_common 10.1.2.4
Get a full list of search fields.
You can pipe search results to a variety of powerful commands to perform statistics and structured analysis on the results. These commands can use the search fields and more extracted fields that Splunk discovers in your results. Check Fields under your timeline to see a list of available fields.
top returns the most frequent values of any field in your search results along with a count and percentage.
where filters your results using a SQL WHERE clause expression.
"Password accepted" | where user="mary"Browse a complete reference of search commands.
You can pipe as many commands together as you like and even combine one search with another for more advanced correlation. The below search will find all hosts that have more than 10 "password failed" events and also have "password accepted" events. Square brackets with the addition of the command "search" after the opening bracket let you embed a second search inside your first.
"Password accepted" [search "Password failed" | top host | fields +host | format]Keywords
Keywords are not case-sensitive. Just type in any keyword that you want to search for.
Depending on how your Splunk's segmentation is configured, certain special characters may not be allowed in your keyword searches.
Examples:
- 1.2.4
Searches for "10.1.2.4".
err*Searches for any text with "err" present.
"my error"Searches for exactly "my error".
Wildcards *
Wildcards may be placed at the start, end or middle of keywords, or at the end of modifier terms.
The following are examples of valid wildcard usage:
- foo*
- *foo
- f*oo
- *foo*
- *f*o*o*
- /var/log/*
Searching for "*"
In Splunk version 3.0 and above, you cannot search literally for *. To search for * you must first search for all "*", and then filter the search using a regex.
- | regex _raw = \*
"Quotation marks"
You must use quotation marks to search for any string that contains quotation marks, whitespace, the pipe character, open or closed parenthesis or brackets.
Correct usage examples:
| Example | Matches |
| "foo" | foo |
| "username=Joe Smith" | username=Joe Smith |
| "authentication denied" | authentication denied |
| "[bar" | [bar |
| "foo * bar" | foo * bar |
| " 404 " | 404 |
| "(404)" | (404) |
Incorrect usage examples:
| Example | Matches |
| " "404" " | Returns nothing. |
| " " 404 " " | Returns nothing. |
Punctuation marks
Most punctuation marks such as . , ! % $ / \ [ ] { } < > @ = + & and # are treated as breaking characters between keywords in the Splunk index. They cannot be searched on their own. Your Splunk administrator may reconfigure the default settings.
Booleans
AND,OR,NOT
Splunk supports the logic commands AND, OR, and NOT. They must be completely uppercase or they will be treated as regular keywords. XOR is not supported. "AND" is implicit in the search string.
NOTE: Currently phrase searching cannot be used in conjunction with OR and NOT operators. This functionality will be available in a future Splunk release.
Example:
error OR (success NOT login)Parentheses
Parentheses must have spaces on the outer (convex) side of them.
The following are correct:
(foo NOT (bar OR baz) ) ( foo NOT (bar OR baz) )The following are incorrect:
(foo NOT(bar OR baz))(foo NOT(bar OR baz ))Parentheses must be used when mixing OR and NOT in the same search.
Precedence
Boolean commands are evaluated in this order:
-
( )
-
OR
-
AND,NOT
Fields
Splunk fields values are assigned to each event by Splunk. They take the format name::value. Each event can have only one value for each fields name. Below are some commonly-used fields:
eventtype::
Event types are defined as saved searches. Create a new event type by choosing "Save as event type..." from the menu. Then search for that event type by entering eventtype::< name of event type >, for example: eventtype::trade_app_logouts
eventtypetag::
Event types can be tagged with arbitrary text values such as tag::failure. Event type tags are not in beta 1.
host::
The hostname or IP address of the host that generated an event, such as host::juno.Splunk.com.
hosttag::
Host values can be tagged to create groupings. For example, each of the host values from production servers could be tagged with the value hosttag::production.
punct::
The punctuation pattern of an event, such as punct::..._-_-_[:::]_\"_?=_/.\"__
source::
The file, network port, or other data stream from which an event was indexed. For example: source::/var/log/messages.
sourcetype::
The kind of data identified by Splunk in the event's source. For example: sourcetype::linux_messages_syslog.
Splunk automatically creates new fields at search time when it sees name/values pairs in search results. To see these, go to the Fields menu and select More >>. You'll see a list of fields extracted at search time.
See the search fields list for the usage and syntax of fields.
Modifiers
Modifiers affect a search rather than being search terms themselves. Like meta data, they also take the format name:value. Most do not have default values. Some can only be used once in a search, as noted below, while most can appear several times in the same search with different values. Modifiers can be used before, after or between keywords and Boolean commands. If a search has conflicting modifiers, such as "daysago:1 monthsago:6 daysago:3", the first one from left to right will take precedence. See the Search modifier list section for search modifier details and syntax.
Subsearches
A subsearch is a search within a search string (delimited by '[' ']' brackets) whose results are passed to the search string its contained in. A search containing a subsearch will execute the subsearch first, and pass the subsearch results to the rest of the search string. By default, a subsearch returns the _query field value the top search result. If the first result doesn't contain a _query field value, Splunk implicitly calls the format command to produce a _query field value for each search result in your search.
Note: You can nest subsearches within subsearches.
Example subsearch forms:
(search terms) [subsearch string] | ...
(search terms) [(search terms) [subsearch string] | ...] | ...
Example:
sourcetype::access_combined | where [search sourcetype::access_combined | top 4 clientip | fields clientip | format]- Restricts the results from a combined access log to the top four IPs. Implicitly calls the format command to produce the _query field to output the result of the subsearch.