Searching in Splunk

When you are building the search criteria, click the field and value in the search result to add it to the search.

 

Wildcard character

  • * (asterisk) one or multiple characters

Exact phrases

  • Use ” (double quotes)

Search for quotes

  • \” (use backslash to escape quotes if you want to search for quotes)

Keywords in the search bar are case sensitive!

Boolean keywords are

  • AND (if omitted, it is implied)
  • OR
  • NOT

Order of boolean evaluation

  1. Inside parentheses ()
  2. NOT
  3. OR
  4. AND

Operators

  • =
  • !=
  • >
  • >=
  • <
  • <=

Examples

  • soourcetype=access_combined

Best search practices

Search in a time range

  • s  Seconds
  • m   Minutes
  • h  Hours
  • d  Days
  • w  Weeks
  • mon  Month
  • y  Year
  • @  Round down to the nearest unit

Examples

  • -30s  In the last 30 seconds
  • -30m@h  Round to the last hour. If the event was run at 5:42, events from 5:00 are returned
  • earliest=-2 latest=-1h  From two hours ago to one hour ago
  • earliest=05/12/2017:12:00:00  From an absolute date and time

Indexes

If the data is organized by multiple indexers, specify the index where the data is stored

Examples

  • index=main

Leave a Reply