Splunk Search Commands

In this blog, we are going to see various Search Commands in Splunk. To get events from indexes or to filter the results of a previous search command in the pipeline, use the search command. Keywords, quoted phrases, wildcards, and field-value expressions can all be used to retrieve events from your indexes. At the start of any search, the search command is implied. The search command does not need to be specified at the start of your search criteria.

Splunk Search Commands - Table of Content

Splunk Commands List

The search command could also be used later in the search pipeline to filter the results from the preceding command. A subsearch can be performed using the search command. You can use commands to alter, filter, and report on events once they've been retrieved. To apply a command to the retrieved events, use the pipe character or vertical bar (|).

To gain in-depth knowledge with practical experience in Splunk,  Then explore HKR's Splunk Certification Course!



1. Essential Arguments 


 |  |  | NOT  |  |  |  [OR] 

Description: All keywords or field-value pairs that were used to describe the events to be retrieved from the index are included here. Whenever necessary, use parentheses. For this argument, you can use Boolean expressions, comparison operators, time modifiers, search modifiers, or expression combinations.

 Among terms and expressions, the AND operator is always implied. Web error, for instance, is the same as web AND error. Clientip= AND earliest=-1h@h are equivalent to clientip= AND earliest=-1h@h. You don't need to define the AND operator unless you are including it for clarity's purpose.

2. Options for logical expressions


 |  IN ()

Description: Provide a list of possible values for a field or compare it to a literal value.


"" |  | 

Description: Using literal strings and search modifiers, describe the events you want to obtain from the index.

[] ()...

Description: Describe the format of the search's start time and end time terms.

Splunk Training

  • Master Your Craft
  • Lifetime LMS & Faculty Access
  • 24/7 online expert support
  • Real-world & Project Based Learning

3. Optional expressions for comparison


 = |  != | < | <= | > | >=

Description: When looking for field/value pairs, you can employ comparison operators. The equal (=) and not equal (!=) operators compare string values in comparison expressions. For instance, "1" does not equal "1.0." Comparison expressions with the larger than or less than operators >= >= compare two numbers numerically and lexicographically.


Description: The field name.


Description: The literal number or string value of a field in comparison expressions.


(, , ...)

Description: To provide two or more values, use the IN operator. For instance use error IN (400, 402, 404, 406) rather then error=400 OR error=402 OR error=404 OR error=406

We have the perfect professional Splunk Tutorial for you. Enroll now!

4. Index expression options



Description: To match, provide a list of keywords or phrases. Splunk software searches the _raw field for matching events or results when searching for strings and quoted strings (anything that isn't a search modifier).


 |  |  |  |  |  |  | 

Description: Find events based on specific fields or field tags. For instance, you can look for one or more hosts, sources, source types, saved searches, and event types. Also, look for the tag field, which has the following format: tag::=.




Find events based on the source type field.



Description: Look for events originating from the provided host field.



Description: Look for events with hosts who are tagged with the string.



Description: Look for events that match the type of event you've specified.



Description: Look for events that match all of the event types tagged with the string.


savedsearch= | savedsplunk=

Description: Look for events that would be discovered by the saved search.



Description: Find events based on the source field.



Description: Look for events from a particular server. To refer to the search head, use the term "local."

, Big Data Analytics, splunk-search-commands-description-0, , Big Data Analytics, splunk-search-commands-description-1

Subscribe to our youtube channel to get new updates..!

5. Time options

See Time modifiers to search for a list of time modifiers.



Description: Set the start time and end time terms' time format.

Default: timeformat=%m/%d/%Y:%H:%M:%S.


starttime= | endtime= | earliest= | latest=

Description: Use the relative or absolute time to specify the start and end times.



Description: Events must occur later or at the same time as this. The time format must be the same.



Description: All events must take place at or before this time.

6. Usage

When it is the initial command in the search, before the first pipe, the search command is event-generating. When it is the initial command in the search, before the first pipe, the search command is event-generating. 

6.1 The search command that is implied

At the start of every search, the search command is implied.

You can use terms like keywords, phrases, fields, boolean expressions, and comparison expressions to indicate exactly which events you want to get from Splunk indexes when a search is the first command in the search. If no field is specified, the search will seek phrases in the _raw field.

Some search terms to consider include:

  • keywords: error login, which is the same as specifying for error AND login
  • quoted phrases: "database error"
  • boolean operators: login NOT (error OR fail)
  • wildcards: fail*
  • field-value pairs: status=404, status!=404, or status>200
6.2 Employing the search command following in the search pipeline

You can use the search command later in the search pipeline in addition to the implied search command at the beginning of all searches. Which fields are given into the search command determines which search phrases you can use. 

You can use the same types of search words if the _raw field is supplied to the search command as when the search command is the first command in a search.

You must supply field-values pairs that match the fields passed into the search command if the _raw field is not passed into the search command. The _raw field is not passed to the next command in the pipeline by transforming operations like stats and charts.

Top 40 frequently asked Splunk Interview Questions !

7. Boolean expressions

The search evaluates Boolean expressions in the following order:

  • Expressions within parentheses
  • NOT clauses
  • OR clauses
  • AND clauses

This assessment order differs from the where command's evaluation order. AND clauses are evaluated before OR clauses in the where command.

7.1 Two Fields Comparison

When using the search command to compare two fields, don't use index=myindex fieldA=fieldB or index=myindex fieldA!=fieldB. The search command expects a to be compared to a when you give a comparison expression. The fieldB is interpreted by the search command as a value rather than a field name.

When comparing two fields, use the where command.

index=myindex | where fieldA=fieldB

 You can describe the criteria in a variety of ways for not equal comparisons.

index=myindex | where fieldA!=fieldB


index=myindex | where NOT fieldA=fieldB
7.2 Using the IN operator to compare multiple field-value

When you want to see if a field includes one of the numerous values, use the IN operator.

For example, use this syntax:

... error_code IN (400, 402, 404, 406) | ...

Instead of this syntax:

... error_code=400 OR error_code=402 OR error_code=404 OR error_code=406 | ...

When using the IN operator with the search command, you can use a wildcard character in the list of values. Consider the following example:

... error_code IN (40*) | ...

 With the IN operator, the NOT operator can be used. As an example:

... NOT clientip IN (,, | ...

 You can also use the IN function in conjunction with the eval and where commands. When the IN function is used with the eval and where commands, wild card characters are not allowed in the values list.

7.3 Order of lexicography

The values used to encode the items in computer memory are utilized to sort them in lexicographic order. UTF-8 encoding, which is a superset of ASCII, is almost always used in Splunk software.

  • Prior to sorting letters, the numbers are sorted. The initial digit is used to sort the numbers. The integers 10, 9, 70, 100, for example, are lexicographically arranged as 10, 100, 70, 9.
  • Lowercase letters are sorted first, followed by uppercase letters.
  • Symbols aren't standard. Numeric values are arranged before some symbols. Other symbols are arranged before and after letters.

You can override the lexicographical order with a custom sort order.

Explore Splunk Sample Resumes! Download & Edit, Get Noticed by Top Employers! 

7.4 Escape characters and quotes

In general, quotation marks are required surrounding white spaces, commas, pipes, quotes, and brackets in phrases and field values. Balance is required when using quotation marks. An unescaped closing quotation must come after an opening quotation. As an example:

  • The number of events containing the string error may be found using a search like error | stats count.
  • A search like ... | search "error | stats count" would return raw events with error, a pipe, stats, and count in that order.

If you don't want to search for the default meaning of keywords and phrases, such as Boolean operators and field/value pairs, you should use quotation marks around them. For example:

  • Error "AND" when searching for the phrase AND without knowing what the Boolean operator implies.
  • Error "startswith=foo" during a search for this field/value phrase.

To escape quotes, pipes, and itself, the backslash character (\) is used. Inside quotation marks, backslash-escape sequences are still expanded. For example:

  • Instead of splitting the pipe between commands, the sequence | as part of a search sends a pipe character to the command.
  • The sequence \" sends a literal quotation mark to the command, for example, when using rex to search for a literal quotation mark or put a literal quotation mark into a field.
  • As a literal backslash in the command, the \\ sequence would be available.

Backslash sequences that aren't recognized aren't changed:

  • Because \s is not a recognized escape sequence, it will be exposed as \s to the command in a search string.
  • However, because \\ is a known escape sequence that is converted to \, \s will be available as \s to the command in the search string.

Splunk Training

Weekday / Weekend Batches


8. Search with TERM()

The TERM() directive can be used to instruct Splunk software to index whatever is inside the parenthesis as a single term. When a term comprises minor segmenters, such as periods, and is bounded by major segmenters, such as spaces or commas, TERM is more useful. TERM doesn't work for terms that aren't separated by major breakers.

9.  Search with CASE()

To find terms and field values that are case-sensitive, use the CASE() directive.

10. Conclusion:
We have learned various search commands, along with their syntax and usages. We hope this blog is very useful to you and has also given descriptions for understanding various expressions.

Other Related Blogs:

Find our upcoming Splunk Training Online Classes

  • Batch starts on 28th Sep 2023, Weekday batch

  • Batch starts on 2nd Oct 2023, Weekday batch

  • Batch starts on 6th Oct 2023, Fast Track batch

Global Promotional Image


Request for more information

Research Analyst
As a senior Technical Content Writer for HKR Trainings, Gayathri has a good comprehension of the present technical innovations, which incorporates perspectives like Business Intelligence and Analytics. She conveys advanced technical ideas precisely and vividly, as conceivable to the target group, guaranteeing that the content is available to clients. She writes qualitative content in the field of Data Warehousing & ETL, Big Data Analytics, and ERP Tools. Connect me on LinkedIn.