Splunk Search Commands

Splunk Commands List

The search command could also be used later in the search pipeline to filter the results from the preceding command. A subsearch can be performed using the search command. You can use commands to alter, filter, and report on events once they've been retrieved. To apply a command to the retrieved events, use the pipe character or vertical bar (|).

To gain in-depth knowledge with practical experience in Splunk,  Then explore HKR's Splunk Certification Course!

Syntax:

search <logical-expression>

1. Essential Arguments 

<expression>

Syntax: 

<logical-expression> | <time-opts> | <search-modifier> | NOT <logical-expression> | <index-expression> | <comparison-expression> | <logical-expression> [OR] <logical-expression>

Description: All keywords or field-value pairs that were used to describe the events to be retrieved from the index are included here. Whenever necessary, use parentheses. For this argument, you can use Boolean expressions, comparison operators, time modifiers, search modifiers, or expression combinations.

 Among terms and expressions, the AND operator is always implied. Web error, for instance, is the same as web AND error. Clientip=192.0.2.255 AND [email protected] are equivalent to clientip=192.0.2.255 AND [email protected] You don't need to define the AND operator unless you are including it for clarity's purpose.

2. Options for logical expressions

<comparison-expression>

Syntax: 

<field><comparison-operator><value> | <field> IN (<value-list>)

Description: Provide a list of possible values for a field or compare it to a literal value.

<index-expression>

Syntax:

"<string>" | <term> | <search-modifier>

Description: Using literal strings and search modifiers, describe the events you want to obtain from the index.

<time-opts>

[<timeformat>] (<time-modifier>)...

Description: Describe the format of the search's start time and end time terms.

Splunk Training

• Master Your Craft
• Lifetime LMS & Faculty Access
• 24/7 online expert support
• Real-world & Project Based Learning

Explore Curriculum

3. Optional expressions for comparison

<comparison-operator>

Syntax:

 = |  != | < | <= | > | >=

Description: When looking for field/value pairs, you can employ comparison operators. The equal (=) and not equal (!=) operators compare string values in comparison expressions. For instance, "1" does not equal "1.0." Comparison expressions with the larger than or less than operators >= >= compare two numbers numerically and lexicographically.

<field>

Syntax:

<string>

Description: The field name.

<value>

Syntax:

<literal-value>

Description: The literal number or string value of a field in comparison expressions.

<value-list>

Syntax:

(<literal-value>, <literal-value>, ...)

Description: To provide two or more values, use the IN operator. For instance use error IN (400, 402, 404, 406) rather then error=400 OR error=402 OR error=404 OR error=406

We have the perfect professional Splunk Tutorial for you. Enroll now!

4. Index expression options

<string>

Syntax:

"<string>"

Description: To match, provide a list of keywords or phrases. Splunk software searches the _raw field for matching events or results when searching for strings and quoted strings (anything that isn't a search modifier).

<search-modifier>

Syntax: 

<sourcetype-specifier> | <host-specifier> | <hosttag-specifier> | <source-specifier> | <savedsplunk-specifier> | <eventtype-specifier> | <eventtypetag-specifier> | <splunk_server-specifier>

Description: Find events based on specific fields or field tags. For instance, you can look for one or more hosts, sources, source types, saved searches, and event types. Also, look for the tag field, which has the following format: tag::=.

<field>=<string>

<sourcetype-specifier>

Syntax:

sourcetype=<string>

Find events based on the source type field.

<host-specifier>

Syntax:

host=<string>

Description: Look for events originating from the provided host field.

<hosttag-specifier>

Syntax:

hosttag=<string>

Description: Look for events with hosts who are tagged with the string.

<eventtype-specifier>

Syntax:

eventtype=<string>

Description: Look for events that match the type of event you've specified.

<eventtypetag-specifier>

Syntax:

eventtypetag=<string>

Description: Look for events that match all of the event types tagged with the string.

<savedsplunk-specifier>

Syntax:

savedsearch=<string> | savedsplunk=<string>

Description: Look for events that would be discovered by the saved search.

<source-specifier>

Syntax:

source=<string>

Description: Find events based on the source field.

<splunk_server-specifier>

Syntax:

splunk_server=<string>

Description: Look for events from a particular server. To refer to the search head, use the term "local."

Subscribe to our youtube channel to get new updates..!

Subscribe

5. Time options

See Time modifiers to search for a list of time modifiers.

<timeformat>

Syntax:

timeformat=<string>

Description: Set the start time and end time terms' time format.

Default: timeformat=%m/%d/%Y:%H:%M:%S.

<time-modifier>

Syntax:

starttime=<string> | endtime=<string> | earliest=<time_modifier> | latest=<time_modifier>

Description: Use the relative or absolute time to specify the start and end times.

<starttime>

Syntax:

starttime=<string>

Description: Events must occur later or at the same time as this. The time format must be the same.

<endtime>

Syntax:

endtime=<string>

Description: All events must take place at or before this time.

6. Usage

When it is the initial command in the search, before the first pipe, the search command is event-generating. When it is the initial command in the search, before the first pipe, the search command is event-generating. 

6.1 The search command that is implied

At the start of every search, the search command is implied.

You can use terms like keywords, phrases, fields, boolean expressions, and comparison expressions to indicate exactly which events you want to get from Splunk indexes when a search is the first command in the search. If no field is specified, the search will seek phrases in the _raw field.

Some search terms to consider include:

• keywords: error login, which is the same as specifying for error AND login
  
• quoted phrases: "database error"
  
• boolean operators: login NOT (error OR fail)
  
• wildcards: fail*
  
• field-value pairs: status=404, status!=404, or status>200

6.2 Employing the search command following in the search pipeline

You can use the search command later in the search pipeline in addition to the implied search command at the beginning of all searches. Which fields are given into the search command determines which search phrases you can use. 

You can use the same types of search words if the _raw field is supplied to the search command as when the search command is the first command in a search.

You must supply field-values pairs that match the fields passed into the search command if the _raw field is not passed into the search command. The _raw field is not passed to the next command in the pipeline by transforming operations like stats and charts.

Top 40 frequently asked Splunk Interview Questions !

7. Boolean expressions

The search evaluates Boolean expressions in the following order:

• Expressions within parentheses
• NOT clauses
• OR clauses
• AND clauses

This assessment order differs from the where command's evaluation order. AND clauses are evaluated before OR clauses in the where command.

7.1 Two Fields Comparison

When using the search command to compare two fields, don't use index=myindex fieldA=fieldB or index=myindex fieldA!=fieldB. The search command expects a to be compared to a when you give a comparison expression. The fieldB is interpreted by the search command as a value rather than a field name.

When comparing two fields, use the where command.

index=myindex | where fieldA=fieldB

 You can describe the criteria in a variety of ways for not equal comparisons.

index=myindex | where fieldA!=fieldB

or

index=myindex | where NOT fieldA=fieldB

7.2 Using the IN operator to compare multiple field-value

When you want to see if a field includes one of the numerous values, use the IN operator.

For example, use this syntax:

... error_code IN (400, 402, 404, 406) | ...

Instead of this syntax:

... error_code=400 OR error_code=402 OR error_code=404 OR error_code=406 | ...

When using the IN operator with the search command, you can use a wildcard character in the list of values. Consider the following example:

... error_code IN (40*) | ...

 With the IN operator, the NOT operator can be used. As an example:

... NOT clientip IN (211.166.11.101, 182.236.164.11, 128.241.220.82) | ...

 You can also use the IN function in conjunction with the eval and where commands. When the IN function is used with the eval and where commands, wild card characters are not allowed in the values list.

7.3 Order of lexicography

The values used to encode the items in computer memory are utilized to sort them in lexicographic order. UTF-8 encoding, which is a superset of ASCII, is almost always used in Splunk software.

• Prior to sorting letters, the numbers are sorted. The initial digit is used to sort the numbers. The integers 10, 9, 70, 100, for example, are lexicographically arranged as 10, 100, 70, 9.
• Lowercase letters are sorted first, followed by uppercase letters.
• Symbols aren't standard. Numeric values are arranged before some symbols. Other symbols are arranged before and after letters.

You can override the lexicographical order with a custom sort order.

Explore Splunk Sample Resumes! Download & Edit, Get Noticed by Top Employers! 

7.4 Escape characters and quotes

In general, quotation marks are required surrounding white spaces, commas, pipes, quotes, and brackets in phrases and field values. Balance is required when using quotation marks. An unescaped closing quotation must come after an opening quotation. As an example:

• The number of events containing the string error may be found using a search like error | stats count.
• A search like ... | search "error | stats count" would return raw events with error, a pipe, stats, and count in that order.
   

If you don't want to search for the default meaning of keywords and phrases, such as Boolean operators and field/value pairs, you should use quotation marks around them. For example:

• Error "AND" when searching for the phrase AND without knowing what the Boolean operator implies.
• Error "startswith=foo" during a search for this field/value phrase.
   

To escape quotes, pipes, and itself, the backslash character (\) is used. Inside quotation marks, backslash-escape sequences are still expanded. For example:

• Instead of splitting the pipe between commands, the sequence | as part of a search sends a pipe character to the command.
• The sequence \" sends a literal quotation mark to the command, for example, when using rex to search for a literal quotation mark or put a literal quotation mark into a field.
• As a literal backslash in the command, the \\ sequence would be available.

Backslash sequences that aren't recognized aren't changed:

• Because \s is not a recognized escape sequence, it will be exposed as \s to the command in a search string.
• However, because \\ is a known escape sequence that is converted to \, \s will be available as \s to the command in the search string.

8. Search with TERM()

The TERM() directive can be used to instruct Splunk software to index whatever is inside the parenthesis as a single term. When a term comprises minor segmenters, such as periods, and is bounded by major segmenters, such as spaces or commas, TERM is more useful. TERM doesn't work for terms that aren't separated by major breakers.

9.  Search with CASE()

To find terms and field values that are case-sensitive, use the CASE() directive.

10. Conclusion:
We have learned various search commands, along with their syntax and usages. We hope this blog is very useful to you and has also given descriptions for understanding various expressions.

Other Related Blogs:

• Splunk Timechart
• Splunk Enterprise