Search rules

Here are the most important rules for searching in Splunk:

  • search terms are case insensitive.
  • you can combine multiple search terms in a single search.
  • to search for a phrase, use quotation marks. For example, to search for an exact phrase of failed login, you would enter “failed login” in the search bar.
  • Boolean logic is supported. You don’t have to write the AND keyword between search terms; it is implied. To specify that either one of two or more arguments should be true, use the OR keyword. To filter out events ontaining a specific word, use the NOT keyword.
  • Splunk’s search language is known as the Search Processing Language (SPL). This language contains hundreds of search commands and their functions, arguments and clauses. For example, to sort results in either ascending or descending order, you would use the SPL command sort. To format results into a tabular output, you can use the table command. We will describe many of the SPL commands in the following chapters.
Splunk tutorial

Splunk tutorial

Geek University 2022