Splunk 3.4.2 is the latest version. Only use this page with older Splunk 2.0.x.
Splunk User Manual (Splunk v2.0)
Reference Chapters
Search Modifiers
Modifiers take the format name::value.
Modifiers may appear anywhere in a splunk command—before, after, or in between regular keywords and Boolean operators.
Some, as noted, are only allowed one value per search. The last one will be evaluated and the rest ignored. A splunk for maxresults::10 apache maxresults::5000 will return at most ten results.
Your Splunk administrator may configure additional meta data values besides those listed here. Unfortunately there is currently no way to obtain a list of all meta data defined in the server's configuration or present in an index. Check with an administrator or power user.
maxresults::
The maximum number of results to return. The default is 10,000. Only the last declaration of maxresults will be evaluated.
foo maxresults::20
If there are more results than you specified the tab summaries will add a > in front of their summary counts, e.g. Events (>10,000).
daysago::
Events within the last N days. Only the first declaration of daysago will be evaluated.
daysago::1
index::
The index to search—default, history, _internal or, on Splunk Professional, another index defined by the administrator. Only the first declaration of index will be evaluated. Its default value is index::default. On the free Splunk Server this resolves to index::main. On Splunk Professional it resolves to whichever index is currently set as the default.
index::_internal finished
There are several indexes built into Splunk by default.
- main
The main data index.
- history
An index of all searches performed on the server (Splunk Server) or by the current account (Splunk Professional.)
- _internal
The index of Splunk server events.
hoursago::
Results within the last N hours. Only the first declaration of hoursago will be evaluated.
greylisting hoursago::4
eventtype::
Events with an event type or tag that matches the specified value.
Local event types have this format.
eventtype::?17
Globally defined event types downloaded from Splunk Base have this format.
eventtype::SP-CAAAAD
For backwards compatibility eventtype:: will also match tags.
eventtype::apache
host::
Results generated by the specified hostname, or at least whose host:: value was set to that hostname during indexing.
host::webserv* 404 daysago::1
minutesago::
Events within the last N minutes. Only the first declaration of minutesago will be evaluated.
minutesago::10 login
related::
Events with segment values (e.g. 404 or joeuser) matching one or more in the current event. You cannot manually enter related searches; you need to click the Related link on a specific event. The splunkSearch interface will insert a keyword of the form related::4:156287821 into the Splunk box. The number is a hash value that only makes sense to the server.
related::4:156287821
Unlike all other current Splunk searches, related results are sorted by relevance rather than by time.
report:: (Splunk Professional)
This modifier creates a Report Splunk from your Splunk results. You can then choose Export Splunk As... to save the report to a file. See the section on Report Splunks for details and examples.
savedsplunk::
Use this modifier to include the terms of a Saved Splunk inside another Splunk, further refining it.
savedsplunk::logins minutesago::40
You cannot include a savedsplunk:: parameter inside a Saved Splunk—the feature is not recursive.
similar
Events whose event type signature is somewhat like that of the current event. There is no similar modifier; it's a special syntax version of eventtype. If you click on the Similar button for an event you'll get a splunk that looks like this.
eventtype::?91-3
The above means "events whose type is within 3 degrees of separation from type 91." You can manually enter values from 0 (identical) to 9 (not similar at all.)
eventtype::?91-1
sourcetype::
Events whose source type matches the specified value.
404 sourcetype::php_*
tag::
Events with a tag that matches the specified value.
tag::apache
unexpected::
Results that lie outside observed patterns in the index by the specified value of 0 (expected) to 9 (most unexpected).
unexpected::9 sourcetype::php_*
You can specify a single value, or a range between two values.
unexpected::4-9 host::webdev
No comments have been submitted.