search command syntax details - Splunk Documentation (2024)

Syntax

The required syntax is in bold.

search <search-expression>

Required arguments

search-expression: Syntax: <literal-expression> | <comparison-expression> | <time-expression> | <index-expression>; Description: The <search-expression> can be a word or phrase, a field-value comparison, a list of values, or a group of search expressions. You can use logical expressions by using IN, AND, OR, or NOT comparisons in your <search-expression>.

You can use Boolean operators to specify more than one <search-expression>. The supported operators are AND, OR, and NOT. Examples of how you can use these operators are:

<search-expression> AND <search-expression>
<search-expression> OR <search-expression>
NOT <search-expression>

Literal expression

literal-expression: Syntax: <literal-value> | "<literal-phrase>"); Description: You can search for string values, number values, or phrases in your data. For example you can specify a word such as error, a number such as 404, or a phrase such as "time limit". If the string, number, or phrase contains any characters like periods ( . ) or spaces, you must enclose the word or phrase in double quotation marks.

Comparison expression

comparison-expression: Syntax: (<field><comparison-operator> [<value>| TERM | CASE]) | <field> IN (<value-list>); Description: You can specify a field name and a comparison operator, such as equal to ( = ) or greater than ( > ), followed by the literal number or string value of a field. You can also specify field name and the IN keyword followed by a list of values enclosed in parentheses. For example, you can specify categoryID="accessories" or bytes>3900 or status IN (400,403,404).

You can use comparison operators when searching for field/value pairs. Comparison expressions with the equal ( = ) or not equal (!= ) operator compare string values. For example, "1" does not match "1.0". Comparisons with greater than or less than operators, including <= and >= numerically compare two numbers and lexicographically compare other values. Valid comparison operators are: =, !=, <, <=, >, and >=. See search command usage.

You can use the CASE() or TERM() directives to perform an exact match for a term.

field: Syntax: <string>; Description: The name of a field.

value: Syntax: <literal-value>; Description: In comparison-expressions, the literal number or string value of a field.

value-list: Syntax: (<literal-value>, <literal-value>, ...); Description: Used with the IN operator to specify two or more values. For example use error IN (400, 402, 404, 406) instead of error=400 OR error=402 OR error=404 OR error=406.

CASE: Syntax: CASE(<term>); Description: By default searches are case-insensitive. If you search for Error, any case of that term is returned such as Error, error, and ERROR. Use the CASE directive to perform case-sensitive matches for terms and field values. CASE(error) will return only that specific case of the term.

TERM: Syntax: TERM(<term>); Description: When data is indexed, characters such as periods and underscores are recognized as minor segmenters between terms. Use the TERM directive to ignore the minor segmenters and match whatever is inside the parentheses as a single term. The <term> must have been bound by major segmenters, such as spaces or commas, before it was indexed. For example, the IP address 127.0.0.1 contains the period ( . ) minor segmenter. If you search for the IP address using | search 127.0.0.1 the search is converted into | search 127 AND 0 AND 1 which returns events that contain those numbers anywhere in the event. If you search using | search TERM(127.0.0.1) the search treats the IP address as a single term, instead of individual numbers.

Time expression

time-expression: Syntax: [<timeformat>] (<time-modifier>)...; Description: Describes the format of the start and end time of the search. Use the <timeformat> to set the time format. The <timeformat> is optional, and if not specified the default format is %m/%d/%Y:%H:%M:%S. Use the <time-modifier> to specify start and end times using absolute or relative times.

An absolute time range uses specific dates and times, for example, from 12 A.M. July 1, 2019 to 12 A.M. July 13, 2019.
A relative time range is dependent on when the search is run. For example, a relative time range of -60m means 60 minutes ago. If the current time is 3 P.M., the search returns events from the last 60 minutes, or 2 P.M. to 3 P.M. today.

Use the earliest and latest modifiers to specify custom and relative time ranges. You can specify an exact time such as earliest="10/5/2016:20:00:00", or a relative time such as earliest=-h or latest=@w6.

Time modifier	Description	Examples
starttime=<string>	Events must be later or equal to this time. Times must match the <timeformat>.	`starttime="%d-%b-%Y%H:%M:%S"`
endtime=<string>	All events must be earlier or equal to this time. Times must match the <timeformat>.	`endtime="%d-%b-%Y%H:%M:%S`
earliest=<time_modifier>	Events must be later or equal to this time. You can specify an absolute or relative time, including a snap-to time.	`earliest=4/27/2019:00:00:00` `earliest=-h@h earliest=-mon@mon`
latest=<time_modifier>	All events must be earlier or equal to this time. You can specify an absolute or relative time, including a snap-to time.	`latest=7/16/2019:00:00:00` `latest=now() latest=+7d@w6 latest=@mon`

Index expression

index-expression: Syntax: "<string>" | <term> | <search-modifier>; Description: Use to describe the events you want to retrieve from the index using literal strings and search modifiers.

string: Syntax: "<string>"; Description: Specify keywords or quoted phrases to match. When searching for strings and quoted strings, anything that is not a search modifier, the _raw field is searched for the matching events or results.

search-modifier: Syntax: <sourcetype-specifier> | <host-specifier> | <hosttag-specifier> | <source-specifier> | <savedsplunk-specifier> | <eventtype-specifier> | <eventtypetag-specifier> | <splunk_server-specifier>; Description: Search for events from specified fields or field tags. For example, search for one or a combination of hosts, sources, source types, saved searches, and event types. Also, search for the field tag, with the format: tag::<field>=<string>.

sourcetype-specifier: Syntax: sourcetype=<string>; Description: Search for events from the specified sourcetype field.

host-specifier: Syntax: host=<string>; Description: Search for events from the specified host field.

hosttag-specifier: Syntax: hosttag=<string>; Description: Search for events that have hosts that are tagged by the string.

eventtype-specifier: Syntax: eventtype=<string>; Description: Search for events that match the specified event type.

eventtypetag-specifier: Syntax: eventtypetag=<string>; Description: Search for events that would match all eventtypes tagged by the string.

savedsplunk-specifier: Syntax: savedsearch=<string> | savedsplunk=<string>; Description: Search for events that would be found by the specified saved search.

source-specifier: Syntax: source=<string>; Description: Search for events from the specified source field.

splunk_server-specifier: Syntax: splunk_server=<string>; Description: Search for events from a specific server. Use "local" to refer to the search head.