Splunk 3.4.2 is the latest version. Only use this page with older Splunk 2.0.x.
Splunk User Manual (Splunk v2.0)
Reference Chapters
Search Command Syntax
System administrators can reconfigure which characters Splunk treats as breaking characters described below, and which breaking characters separate major or minor segments. See the Splunk Admin Manual for configuration instructions.
Keywords
Splunk assumes keywords are separated by spaces, and are composed of letters and numbers. They are separated by breaking characters into major segments that may contain two or more minor segments.
refer google com
Case Sensitivity
Splunk is case-insensitive except for the Boolean operators AND, OR and NOT described below.
These searches are identical:
foobar
Foobar
FoObaR
Breaking Characters
By default Splunk is configured to treat characters such as &, %, . and , in data it loads as breaking characters that separate searchable segments. You can't search for breaking characters. Parentheses have a special function described below.
Major and Minor Segments
Splunk's default configuration treats segments separated by periods and other punctuation marks as minor segments, and those separated by spaces as major segments. If you search for a term that appears as a minor segment, it will be highlighted on your results page. But when you roll over it to click it, the entire major segment it belongs to will highlight.
Left-to-Right Matching
When searching the index, Splunk tries to match minor segments inside a major segment by starting from the leftmost segment and working to the right.
For example, let's say we have events with URLs of the form http://amazon.com/exec/obidos/12345 in them. This query would return results because each term is a minor segment that can be matched inside URL strings in the index.
amazon com exec obidos
This query would also return matches because the minor segments in the query match URLs in the index starting from left to right.
http://amazon.com/exec
This query would return no matches because it would not match the first minor segment in the search term ("amazon") with the first minor segments in the indexed data ("http").
amazon.com/exec/obidos
Modifiers and Meta Data
The format for specifying both modifiers and meta data value in the Splunk box is name::value, for example host::web1.splunk.com.
host::jupiter sourcetype::linux_messages_syslog fatal
See the Search Modifiers section for a complete list of built-in meta datanames and search modifiers. Your administrator may also configure other meta data values that you can use. Unfortunately there's no way yet to get a complete list of those available.
Boolean logic—AND, OR, NOT, ()
You can perform nested Boolean searches on any index. Use parentheses separated by whitespace to mix uppercase AND, OR and NOT operators. NOT is a Boolean operator; Not, not and nOT are case-insensitive search keywords.
( foo NOT ( bar OR baz ) )
AND is implied by default between search terms, but you can plug it in anyway. These Splunks are equivalent.
foo bar NOT baz
foo AND bar NOT baz
Precedence
The order of precedence among operators is:
( )
OR
AND, NOT
When in doubt, use parentheses.
( Parentheses )
Splunk supports parentheses, but you must put space around parentheses to make clear they are Boolean operators and not part of search terms. This is so Splunk can be configured to treat ) and ( as searchable characters.
Wildcards *
You can place wildcards at the start or end of keywords.
*inux
linu*
You can place wildcards at the end of meta data terms, but nowhere else in the term.
host::webserver*
You can effectively wildcard the middle of a keyword like this, although it may return a few other results that match by containing two separate terms.
supercali* *expialidocious
You can't wildcard both ends. This search, sadly, won't return anything.
*upercalifragilist*
+Literals
To explicitly search for a term with punctuation marks in it, prefix the term with +.
This example would search for the string "index::foo" in your index, rather than specifying an alternate index to search.+index:foo
You can search for terms that begins with "+" using the same syntax. This example would search for the literal string "+800".
++800
"Quoted strings"
Splunk does not currently support the use of quotes to combine segments separated by breaking characters. This search would return no results.
"four score and seven years ago"
This search will find results, but possibly many you're not looking for. You may have to Ctrl-Alt-click unwanted matches away. (On Macs, cmd-option-click.)
four score and seven years ago
No comments have been submitted.