Splunk 3.4.2 is the latest version. Only use this page with older Splunk 2.0.x.
Splunk User Manual (Splunk v2.0)
The Splunk Box
Splunk Box Commands
Any search you can create by clicking Splunk's graphical interface, you can also type into the Splunk box as a text-only search string. You've probably already noticed the box updates itself to match your point-and-click searches.
Nested Boolean logic, keyword operators, detailed parameter values—the Splunk box lets you use your command line skills to concoct advanced search strings. Here are a few quick examples.
Search terms are not case sensitive, except for the Boolean logic operators AND, OR and NOT. Splunk considers Foobar, foobar and fOoBaR identical.
Basic searches
You can type in any alphanumeric keyword. Watch the typeahead drop-down for hints as you type.
apache 404
To specify a Splunk meta data value such as eventtype, put two colons (::) between the meta data name and its value—metadata::value.
eventtype::imapd_login_failed
The same syntax applies to Splunk modifiers, for example daysago::3.
Search terms are additive. There is an implicit AND between any terms not separated by OR or NOT.
sourcetype::linux_syslog_message authentication failure
Wildcards
You can put wildcard * characters at the start or end of individual terms. We don't support regular expressions ... at least not yet.
apache 40*
month *ember 2005
You can wildcard the middle of a term by breaking it in two.
supercal* *alodocious
Quoted strings
Splunk does not yet support quoted strings such as "foo bar" yet. This search will return no results.
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; de) Opera 8.01"
This search will return lots of results.
Mozilla/4.0 compatible MSIE 6.0 Windows NT 5.1 de Opera 8.01
Boolean phrases
Boolean parentheses can be nested without limit. You need to put spaces between parentheses and other search terms—( foo AND bar ( NOT host::baz ) rather than (foo AND bar(NOT host::baz)).
host::trafficcop1 ( denied OR forbidden ) daysago::1
get NOT ( ( 404 or 20* ) AND host::testserver )
sourcetype::apache get /store NOT googlebot NOT ( 20* OR 404 )
source::/logs/08_19_05/voip/* OR ( sourcetype::asterisk_event_syslog NOT sip/4211office-testlab )
No comments have been submitted.