• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Use Splunk Web
  • About Splunk Web
    • Dashboards
    • Preferences
    • Admin pages
  • Change Splunk Web preferences
    • Search
    • General
  • About Splunk server settings
    • View server settings
    • Control server
    • Configure authentication method
  • Change Splunk server default settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
• Add inputs
  • About inputs
    • Files and directories
    • FIFO queues
    • Network ports
  • Use Data Inputs page
    • Access Data Inputs page
    • Run crawls
    • Add files and directories
    • Add FIFO queues
    • Add network ports
  • Use crawl
    • Run a crawl
    • Save a crawl
• Index
  • About indexes and indexing
    • Events, segments, and fields
    • Search and indexes
  • Manage your indexes
    • View and manage indexes
    • Edit index properties
  • Create new index
    • via Splunk Web
    • via the CLI
  • Delete an index
• Search
  • Splunk search
    • Generate search results
    • Construct searches
    • Types of search
    • Save and schedule searches
    • Tune search performance
  • Form search
    • Run a form search
  • Transactions
    • Example use cases
    • The transaction search command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
  • Macro search
    • Configure a macro search
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Tag
  • About tags
    • Search for events containing tags
    • Configure tags
    • Configure roles for tagging
  • Tag fields (including: event types, hosts, and sources)
    • Tag hosts or sources
    • Tag event types
  • Example: tagcreate and tagdelete
    • Create tags
    • Delete tags
  • Alias a source type
    • Add/edit a source type alias
• Report
  • Run reports
    • Report on results
    • Report on fields
    • Report using reporting commands
    • Choose different charts
    • Add a report to your dashboard
    • Summary indexing
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
  • Summary indexing
    • How summary indexing works
    • Configure summary indexing
    • Search commands useful to summary indexing
    • General guidelines for summary indexing
    • Aggregated statistics
    • Gaps and overlaps
• Save, Schedule, and Alert
  • Save, schedule, and set alerts
    • Save a search
    • Schedule the search
    • Configure an alert
    • Enable summary indexing
  • Find and manage saved searches
    • Delete or modify saved searches
    • Display saved searches on dashboard
• Use the Splunk Command Line Interface (CLI)
  • The Splunk CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Asynchronous searches (dispatch CLI command)
    • CLI search parameters
  • Change default Splunk server settings
    • Change the password
    • Change Splunk server name
    • Change network ports
    • Change datastore location
    • Change minimum free disk space
• Search reference
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
• Field reference
  • Fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • Field list
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Generate data
    • crawl
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transform and report
    • associate
    • chart
    • cluster
    • contingency
    • collect
    • correlate
    • diff
    • eventstats
    • format
    • highlight
    • makemv
    • mvcombine
    • mvexpand
    • nomv
    • overlap
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extract
    • addinfo
    • extract (kv)
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
  • Unsupported search commands
    • createrss
    • dispatch
    • folderize
    • gentimes
    • idxprobe
    • inputcsv
    • load
    • map
    • outputatom
    • outputcsv
    • outputraw
    • outputtext
    • outputxml
    • page
    • rawstats
    • save
    • sendemail
    • tagcreate
    • tagdelete
    • tags
    • tagset
    • translate
  • Deprecated search commands
    • nopartial
    • remote
    • searchps
    • select
    • streamedcsv
    • summary
    • timeline
    • uniq
• CLI command reference
  • Command Line Interface (CLI) commands
    • Syntax
    • Command list

Splunk search

Searching in Splunk is easy - type any term you'd expect to find in your data into the search box and hit Enter. A Splunk search lets you search indexed data in real-time, extract data from search results, and produce meaningful reports from the data you put into Splunk. For example, to search for all events containing a given IP address, type it into the box. Try it with usernames, error codes, transaction IDs, or whatever else you are looking for.

See the Search syntax page to learn about Splunk search syntax.

A search is pipeline of commands (similar to a Unix "|" pipeline) that starts with a command that gathers data (typically a search on data in a Splunk index), followed by data-processing commands that operate on the data to yield search results.

See the Search pipeline syntax page for details about the syntax of the search pipeline.

You can also watch this Splunk developer video about searching with Splunk.

Generate search results

Generate search results by using a data-generating command. Generate search results by using:

• search to get new search results from a Splunk index.
• savedsearch to execute a saved search.
• file to import previously gathered search results directly from a file.
• crawl to search your filesystem for new data sources to add to your index (returns them as search results).

Construct searches

Use the search command to construct simple keyword searches on data in your Splunk index (just like a Google search). Narrow your keyword searches with modifiers, fields, Boolean operators, and logical comparison operators.

You can also construct more powerful searches by using additional commands to extract data, perform statistical operations, and build reports. Learn about the search commands in the search command reference.

Here are some valuable points to remember when constructing a search:

When generating data

To get more results:

• Increase the time range (search over all time to get the most number of results).
• Use wildcards and partial keywords instead of exact keywords.

If you want a faster search:

• Narrow the time range of your search.
• Reduce the number of fields that are extracted by un-selecting fields in the Fields picker menu.
• Reduce the segmentation by selecting inner, outer, or raw in the Preferences menu (reducing segmentation makes extracting and reporting more difficult).

When narrowing your search

• Filter results by event type if possible.
• Use the source and sourcetype fields to narrow a search to only a specified source.
• Use a combination of logical and Boolean expressions of keywords, modifiers, and fields.

Types of search

Form searches

Form searches are reusable searches that are pre-defined by a Splunk administrator. Form searches allow you to run complex searches by simply inputting variables in form fields. Learn more about Form searches.

Macro searches

Macro searches allow macro substitution of variables in saved searches. This allows you to run a complex search repeatedly with different variables. Learn more about Macro searches.

Transaction searches

Transactions let you search for groups of related events that are pre-defined as a transaction by your Splunk administrator. Use the transaction command to execute a transaction search. You can override specifications of a pre-defined transaction, or define a new transaction with the transaction command. Learn more about Transactions.

Live tail

Live tail allows you to see data as its being indexed into Splunk in real-time (similar to Unix's tail -f command). Live tail allows you to execute a simple search in its stand-alone window, and monitor events that match the search. Find out more about live tail.

Asynchronous searches

The Splunk CLI allows you to run multiple searches asynchronously. Use this if you have a search or report you want to run on a large amount of data where the search could take days and you still want to be able to run other searches with Splunk. Use the dispatch CLI command to execute asynchronous searches. Learn more about asynchronous searches.

CLI searches

Run searches in the CLI with the search CLI command. Searches in the CLI work the same way as searches in Splunk Web except there is no timeline rendered with the search results, and a time range isn't specified by default. Search for anything by including your search as the 'search string' argument of a CLI search command.

Learn more about CLI searching.

Save and schedule searches

After you save a search, you can set your searches to run regularly and schedule alert conditions. Read more about Save, schedule, and alert options.

Tune search performance

Splunk's searches are optimized for text-based searching of raw event data. Search speed is dependent on how your Splunk install is configured. You can improve the speed of your searches by editing configuration files, and by downloading various add-ons from SplunkBase. Read more about tuning search performance.