) Description: Used with the IN operator to specify two or more values. Syntax: Description: In comparison-expressions, the literal number or string value of a field. Syntax: Description: The name of a field. Comparison expressions with greater than or less than operators = numerically compare two numbers and lexicographically compare other values. Comparison expressions with the equal ( = ) or not equal ( != ) operator compare string values. Comparison expression options Syntax: = | != | | >= Description: You can use comparison operators when searching field/value pairs. Description: Describe the format of the starttime and endtime terms of the search.
Syntax: "" | | Description: Describe the events you want to retrieve from the index using literal strings and search modifiers. Logical expression options Syntax: | IN () Description: Compare a field to a literal value or provide a list of values that can appear in the field. Specifying clientip=192.0.2.255 is the same as clientip=192.0.2.255 AND So unless you want to include it for clarity reasons, you do not need to specify the AND operator. For example, web error is the same as web AND error. The AND operator is always implied between terms and expressions. Use Boolean expressions, comparison operators, time modifiers, search modifiers, or combinations of expressions for this argument. Required arguments Syntax: | | | NOT | | | Description: Includes all keywords or field-value pairs used to describe the events to retrieve from the index.
The search command supports IPv4 and IPv6 addresses and subnets that use CIDR notation. Use the vertical bar ( | ), or pipe character, to apply a command to the retrieved events. See about subsearches in the Search Manual.Īfter you retrieve events, you can apply commands to transform, filter, and report on the events. The search command can also be used in a subsearch. You can also use the search command later in the search pipeline to filter the results from the previous command in the pipeline. You do not need to specify the search command at the beginning of your search criteria. The search command is implied at the beginning of any search. You can retrieve events from your indexes, using keywords, quoted phrases, wildcards, and field-value expressions. If you use a wildcard for the value, NOT fieldA=* returns events where fieldA is null or undefined, and fieldA!=* never returns any events.Use the search command to retrieve events from indexes or filter the results of a previous search command in the pipeline. The following search returns events where fieldA exists and does not have the value "value2". The following search returns everything except fieldA="value2", including all other fields. Searching with the boolean "NOT" comparison operator is not the same as using the "!=" comparison. Search sourcetype=access_combined_wcookie action IN (addtocart, purchase) 5.
In the events from an access.log file, search the action field for the values addtocart or purchase.
#Splunk search examples how to#
This example shows how to use the IN operator to specify a list of field-value pair matchings. Search host=webserver* status IN(4*, 5*) 4.
Search host=webserver* (status=4* OR status=5*)Īn alternative is to use the IN operator, because you are specifying two field-value pairs on the same field. This example searches for events from all of the web servers that have an HTTP client and server error status. This example shows field-value pair matching with wildcards. Search (code=10 OR code=29 OR code=43) host!="localhost" xqp>5Īn alternative is to use the IN operator, because you are specifying multiple field-value pairs on the same field.
#Splunk search examples code#
This example searches for events with code values of either 10, 29, or 43 and any host that is not "localhost", and an xqp value that is greater than 5. This example shows field-value pair matching with boolean and comparison operators. This example shows field-value pair matching for specific values of source IP (src) and destination IP (dst). To learn more about the search command, see How the search command works. The following are examples for using the SPL2 search command.
0 kommentar(er)
