• About Splunk
  • About Splunk
• Tutorial
  • Introduction to Splunk
    • Requirements
    • Log in
    • Index data
    • Simple searches
    • Click on results
    • Scroll through results
    • Narrow results
    • Follow a relationship
    • Chang the time range
    • Boolean searches
    • Save a search
  • Navigating search results
    • Filter on host, source, and sourcetype (search fields)
    • Showing more fields
    • Filter on extracted fields
    • Related events searching
    • Taking snapshots
    • SplunkWeb (interface) customization
  • Event types and punct::
    • What are event types?
    • What is punct::?
    • Find similar events with punct::
    • Saving event types
    • View and search for event types
    • Automated event type discovery
    • Tagging
  • Alerting
    • Save a search
    • Schedule it
    • Set alerting conditions
    • Set the alerting method
    • Permalink your saved search
    • Manage your saved searches and alerts
  • Reporting
    • Report on a field
    • Build a new report
    • Pick a different chart
    • Add it to your dashboard
  • Using search commands
    • timechart
    • stats
    • top
    • rare
    • where
    • fields
    • sort
    • Subsearches
    • diff
    • set
    • regex
  • Command line interface (CLI)
    • Examples
    • Built-in help
    • Basic commands
  • Sharing
    • Creating, tagging, and sharing eventtypes
    • Saved searches
    • SplunkBase
• Reference
  • Search syntax overview
    • Syntax definition
    • Syntax for subsearches
    • Tuning search performance
  • Search
    • Keywords
    • Wildcards *
    • Searching for "*"
    • "Quotation marks"
    • Punctuation marks
    • Booleans
    • Fields
    • Modifiers
    • Subsearches
  • Search modifiers
    • Conventions used in this reference
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hosttag
    • hoursago
    • index
    • maxresults
    • minutesago
    • monthsago
    • readlevel
    • readlimit
    • related
    • savedsearch
    • searchtimespanminutes
    • searchtimespanhours
    • searchtimespandays
    • searchtimespanmonths
    • startminutesago
    • starthoursago
    • startdaysago
    • startmonthsago
    • timeformat
  • Core search fields
    • host
    • source
    • sourcetype
  • Search fields
    • _raw
    • _serial
    • _time
    • date_hour
    • date_minute
    • date_month
    • date_mday
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • eventtypetag
    • endtime
    • endtimeu
    • linecount
    • punct
    • starttime
    • starttimeu
    • timestamp::none
    • user
  • Search commands
    • Conventions used in the search reference
    • The run command
    • The admin command

Search syntax overview

A Splunk search consists one or more commands and their arguments. Any search must have at least one data-generation command. The data generated can then be used by other commands in a search pipeline.

A data-generation command is a command that generates data. The most common data-generation command is search which retrieves data persisted in a Splunk index, but there are other data-generation commands as well. The remote, savedsearch , and run commands all generate data that can be used in Splunk searches.

search is made up of a search statement followed by search arguments. Search arguments alter the results of the search by specifying what data to operate on, what additional instructions to follow at runtime, and what indexed terms to search for specifically. The search argument can contain a subsearch.

The search pipeline is composed of commands and arguments that process data generated by the search command and the other data-generation commands.

Search arguments alter the results of the search by specifying what data to operate on, what additional instructions to follow at runtime, and what indexed terms to search for specifically. The search argument can contain a subsearch. Search arguments can be literal keywords, wildcards, Boolean expressions, search field="value" pairs, modifier="value" pairs, and subsearches.

The search command arguments are defined in later sections.

Syntax definition

search ::= data_generation_command [ search_pipeline ]

data_generation_command ::= search_command | remote_command | savedsearch_command | run_command

search_pipeline ::= "|" [command] [ search_pipeline ]

search_command ::= search [search_argument]

search_argument ::= [keywords] [indexed_field="value"] [modifier="value"] [search_command]

subsearch ::= search_command "[" search "]"

remote_command ::= remote [server","...","server] | [server" "..." "server] [search_pipeline]

savedsearch_command::= savedsearch [name of saved search]

run_command ::= run [run argument]

Syntax for subsearches

A subsearch is a search with a search command as an argument.

search_command ::= search search_argument

search_argument ::= keyword "|" search_field=value "|" modifier="value" "|" subsearch

subsearch ::= search_command "[" [ search ] "]"

The search command is made up of a search statement followed by search arguments.

Tuning search performance

Splunk's searches are optimized for text-based searching of raw event data. Search speed is dependent on how your Splunk install is configured. You can improve the speed of your searches by editing the configuration files, and by downloading various add-ons through SplunkBase. Read more about tuning search performance here.