In this blog, we are going to see various Search Commands in Splunk. To get events from indexes or to filter the results of a previous search command in the pipeline, use the search command. Keywords, quoted phrases, wildcards, and field-value expressions can all be used to retrieve events from your indexes. At the start of any search, the search command is implied. The search command does not need to be specified at the start of your search criteria.
The search command could also be used later in the search pipeline to filter the results from the preceding command. A subsearch can be performed using the search command. You can use commands to alter, filter, and report on events once they've been retrieved. To apply a command to the retrieved events, use the pipe character or vertical bar (|).
To gain in-depth knowledge with practical experience in Splunk, Then explore HKR's Splunk Certification Course!
<logical-expression> | <time-opts> | <search-modifier> | NOT <logical-expression> | <index-expression> | <comparison-expression> | <logical-expression> [OR] <logical-expression>
Description: All keywords or field-value pairs that were used to describe the events to be retrieved from the index are included here. Whenever necessary, use parentheses. For this argument, you can use Boolean expressions, comparison operators, time modifiers, search modifiers, or expression combinations.
Among terms and expressions, the AND operator is always implied. Web error, for instance, is the same as web AND error. Clientip=192.0.2.255 AND earliest=-1h@h are equivalent to clientip=192.0.2.255 AND earliest=-1h@h. You don't need to define the AND operator unless you are including it for clarity's purpose.
<field><comparison-operator><value> | <field> IN (<value-list>)
Description: Provide a list of possible values for a field or compare it to a literal value.
"<string>" | <term> | <search-modifier>
Description: Using literal strings and search modifiers, describe the events you want to obtain from the index.
Description: Describe the format of the search's start time and end time terms.
= | != | < | <= | > | >=
Description: When looking for field/value pairs, you can employ comparison operators. The equal (=) and not equal (!=) operators compare string values in comparison expressions. For instance, "1" does not equal "1.0." Comparison expressions with the larger than or less than operators >= >= compare two numbers numerically and lexicographically.
Description: The field name.
Description: The literal number or string value of a field in comparison expressions.
(<literal-value>, <literal-value>, ...)
Description: To provide two or more values, use the IN operator. For instance use error IN (400, 402, 404, 406) rather then error=400 OR error=402 OR error=404 OR error=406
We have the perfect professional Splunk Tutorial for you. Enroll now!
Description: To match, provide a list of keywords or phrases. Splunk software searches the _raw field for matching events or results when searching for strings and quoted strings (anything that isn't a search modifier).
<sourcetype-specifier> | <host-specifier> | <hosttag-specifier> | <source-specifier> | <savedsplunk-specifier> | <eventtype-specifier> | <eventtypetag-specifier> | <splunk_server-specifier>
Description: Find events based on specific fields or field tags. For instance, you can look for one or more hosts, sources, source types, saved searches, and event types. Also, look for the tag field, which has the following format: tag::
Find events based on the source type field.
Description: Look for events originating from the provided host field.
Description: Look for events with hosts who are tagged with the string.
Description: Look for events that match the type of event you've specified.
Description: Look for events that match all of the event types tagged with the string.
savedsearch=<string> | savedsplunk=<string>
Description: Look for events that would be discovered by the saved search.
Description: Find events based on the source field.
Description: Look for events from a particular server. To refer to the search head, use the term "local."
See Time modifiers to search for a list of time modifiers.
Description: Set the start time and end time terms' time format.
starttime=<string> | endtime=<string> | earliest=<time_modifier> | latest=<time_modifier>
Description: Use the relative or absolute time to specify the start and end times.
Description: Events must occur later or at the same time as this. The time format must be the same.
Description: All events must take place at or before this time.
When it is the initial command in the search, before the first pipe, the search command is event-generating. When it is the initial command in the search, before the first pipe, the search command is event-generating.
At the start of every search, the search command is implied.
You can use terms like keywords, phrases, fields, boolean expressions, and comparison expressions to indicate exactly which events you want to get from Splunk indexes when a search is the first command in the search. If no field is specified, the search will seek phrases in the _raw field.
Some search terms to consider include:
You can use the search command later in the search pipeline in addition to the implied search command at the beginning of all searches. Which fields are given into the search command determines which search phrases you can use.
You can use the same types of search words if the _raw field is supplied to the search command as when the search command is the first command in a search.
You must supply field-values pairs that match the fields passed into the search command if the _raw field is not passed into the search command. The _raw field is not passed to the next command in the pipeline by transforming operations like stats and charts.
The search evaluates Boolean expressions in the following order:
This assessment order differs from the where command's evaluation order. AND clauses are evaluated before OR clauses in the where command.
When using the search command to compare two fields, don't use index=myindex fieldA=fieldB or index=myindex fieldA!=fieldB. The search command expects a
When comparing two fields, use the where command.
index=myindex | where fieldA=fieldB
You can describe the criteria in a variety of ways for not equal comparisons.
index=myindex | where fieldA!=fieldB
index=myindex | where NOT fieldA=fieldB
When you want to see if a field includes one of the numerous values, use the IN operator.
For example, use this syntax:
... error_code IN (400, 402, 404, 406) | ...
Instead of this syntax:
... error_code=400 OR error_code=402 OR error_code=404 OR error_code=406 | ...
When using the IN operator with the search command, you can use a wildcard character in the list of values. Consider the following example:
... error_code IN (40*) | ...
With the IN operator, the NOT operator can be used. As an example:
... NOT clientip IN (184.108.40.206, 220.127.116.11, 18.104.22.168) | ...
You can also use the IN function in conjunction with the eval and where commands. When the IN function is used with the eval and where commands, wild card characters are not allowed in the values list.
The values used to encode the items in computer memory are utilized to sort them in lexicographic order. UTF-8 encoding, which is a superset of ASCII, is almost always used in Splunk software.
You can override the lexicographical order with a custom sort order.
Explore Splunk Sample Resumes! Download & Edit, Get Noticed by Top Employers!
In general, quotation marks are required surrounding white spaces, commas, pipes, quotes, and brackets in phrases and field values. Balance is required when using quotation marks. An unescaped closing quotation must come after an opening quotation. As an example:
If you don't want to search for the default meaning of keywords and phrases, such as Boolean operators and field/value pairs, you should use quotation marks around them. For example:
To escape quotes, pipes, and itself, the backslash character (\) is used. Inside quotation marks, backslash-escape sequences are still expanded. For example:
Backslash sequences that aren't recognized aren't changed:
The TERM() directive can be used to instruct Splunk software to index whatever is inside the parenthesis as a single term. When a term comprises minor segmenters, such as periods, and is bounded by major segmenters, such as spaces or commas, TERM is more useful. TERM doesn't work for terms that aren't separated by major breakers.
To find terms and field values that are case-sensitive, use the CASE() directive.
We have learned various search commands, along with their syntax and usages. We hope this blog is very useful to you and has also given descriptions for understanding various expressions.
Other Related Blogs:
Batch starts on 29th May 2022, Weekend batch
Batch starts on 2nd Jun 2022, Weekday batch
Batch starts on 6th Jun 2022, Weekday batch