Documentation:
3.3.4
This page last updated: 09/16/08 12:09pm
Search syntax
Splunk searches are designed to make searching your data easy by allowing you to perform a variety of simple term and phrase searches with Boolean and comparison logic using the Splunk search command. Use a Splunk search to explore your indexed data, and operate on it by piping search results to a variety of powerful commands to perform statistics and structured analysis on the results. Refer to the Search pipeline syntax reference for more about the search pipeline.
For example:
Search for error events from access logs.
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
Search your data for any whole or part of a keyword by typing it into the search bar. Search for any number of keywords that you like in a single search. Separate multiple keywords by using whitespace. Splunk treats the whitespace between keywords as an AND operator.
Keywords are not case-sensitive.
Examples:
Search for "10." anywhere in your data.
10.Search for events containing "apache" and "error".
apache errorSearch for any literal term by wrapping it in double quotes. To search for the literal equal sign, you must wrap the search term in double quotes. For example, to search for the string a=b rather than the field a with the value b you must search:
"a=b"In general, Splunk recommends that you wrap terms that have punctuation or whitespace in double quotes.
Make search case sensitiveUse the regex command to match events generated in a search to an exact string of characters (including case sensitive terms pronouns). Search for all events, and then filter your search results using a regex. For example, search for the word "ERROR" in all of your events:
* | regex _raw=ERRORYou can't search for an asterisk (*) character as it is always treated as a wildcard within the search command. To search for a literal asterisk, you need to search for all data and filter out results that don't contain an asterisk (using the regex command).
Here's the search you need to execute to search for an asterisk:
* | regex _raw= \*Use wildcards to search for keywords or phrases that match a partial string of characters. Place wildcards at the beginning, middle, or end of a string of characters.
Note: You can also use wildcards in fields and field values.Examples of valid wildcard usage:
- foo*
- *foo
- f*oo
- *foo*
- *f*o*o*
- /var/log/*
Splunk uses many punctuation characters as breaking characters for keywords in its index. Punctuation such as: . , ! % $ / \ [ ] { } < > @ = + & and # are normally considered breaking characters by default. Your Splunk administrator can customize what characters are breaking characters by tuning segmentation.
Boolean operatorsUse Boolean operators to group search arguments together in a search. Splunk supports the Boolean operators: AND, OR, NOT, and ( ). Boolean operators must be completely uppercase or they are treated as regular keywords.
Precedence
Boolean operators are evaluated in this order:
1. ( )
2. OR
3. AND, NOT
Use parentheses to group Boolean operator expressions together. Parentheses must have spaces on the outer (convex) side of them. Parentheses must be used when mixing OR and NOT in the same search.
Examples of correct usage:
(foo NOT (bar OR baz) )( foo NOT (bar OR baz) )Examples of incorrect usage:
(foo NOT(bar OR baz))(foo NOT(bar OR baz ))Use comparison operators (=, !=, <, >, <=, >=) to exactly match a value, or a range of field values in the argument of any search command.
Note: You can only use <, >, <=, and >= with numerical field values.
| Operator | Example | Effect |
| = | field=foo | Field values that exactly match "foo". |
| != | field!=foo | Field values that don't exactly match "foo". |
| < | field<x | Numerical field values that are less than x. |
| > | field>x | Numerical field values that are greater than x. |
Comments
It would be nice to know how I can search by most frequent occurrences using the search syntax. Is there a way to do this?
Posted by cronos4d on Mar 10 2008, 3:51pm