In Splunk, the character utilized before a command is the “pipe” symbol which is also known as the “vertical bar” symbolized as “|”. This symbol is utilized in chaining commands together when carrying out Splunk’s search language. This enables one to do several operations on your information with a single search query.
The search command can be utilized in filtering the results and retrieving events from indexes of an earlier search command in a pipeline. Moreover, one can retrieve events from their indexes with the help of keywords, field-value expressions, wildcards, and quoted phrases. In addition, the search command is implied at the start of every search. You don’t need to state the search command at the start of every search criterion.
Syntax
How the search command operates
When you use the search command you specify a search expression including a field-value pair or the keyword. For instance, one may use a pipe symbol to look for a certain phrase in your information, and then utilize a command to filter the outcomes based on a certain field.
Required arguments
Include all the field-value pairs or keywords used to explain the events in retrieving from the index. Moreover, also include parenthesis as required. Use comparison operators, Boolean expressions, search modifiers, time modifiers, and mixtures of expressions for argument.
<expression>
Syntax
<logical-expression> | <search-modifier> | <time-opts> | NOT <logical-expression> | <comparison-expression>| <index-expression> | <logical-expression> [OR] <logical-expression>
Remember the AND operator is always used between expressions and terms. For instance, web error is similar to web AND error
Implied Search Command
The search command is used at the start of every search. When we have search as the first command in search, you could utilize different terms including keywords, fields, phrases, comparison expressions, and boolean expressions to specify the exact events you need to get from Splunk indexes. When you don’t state a field, the search appears the terms in the _raw field.
Using Search Command Later in the search pipeline
Apart from the implied search command being used at the start of all searches, one can also utilize the search command later in the search pipeline. These search terms which you can utilize depends on the fields which are passed into these search command.
When the _raw field is passed to the search command, one can utilize the same kind of search terms as long as the search command is the initial command in a search. Moreover, if _raw field isn’t passed to the search command, you need to specify field-values pairs that match the fields passed to the search command. Changing commands like chart and stats, don’t pass the _raw field to the following command in the pipeline.
Comparing Two Fields
When comparing two fields, you shouldn’t specify index=myindex fieldA!=fieldB or index=myindex fieldA=fieldB using the search command. When stating a comparison_expression, the command anticipates an <field> in comparison with a <value>. The search command takes fieldB as the value, not as a field name.
You can use the where the command to make comparing between two fields.
For not equivalent comparisons, you can state the criteria in numerous ways.
Or
Boolean expressions
The order that Boolean expressions are assessed with search is:
- Expressions inside parentheses
- NOT sections
- OR sections
- AND sections
Comparing Multiple Fields with IN operator
You can utilize the IN operator when you need to determine if a field has one of the numerous values.
Syntax
Searching with TERM()
One can utilize the TERM() directive to direct Splunk software to equate whatever is in the parentheses as one term in the index. Moreover, TERM is more important when the term has minor segmenters including periods, and is bounded by main segmenters like commas or spaces.
Searching with CASE()
You can also utilize the CASE() directive to look for field and term values that are case-sensitive.
