Syntax: | | | | | | | Description: Search for events from specified fields or field tags. When searching for strings and quoted strings (anything that's not a search modifier), Splunk software searches the _raw field for the matching events or results. For example use error IN (400, 402, 404, 406) instead of error=400 OR error=402 OR error=404 OR error=406 Index expression options Syntax: "" Description: Specify keywords or quoted phrases to match. ) Description: Used with the IN operator to specify two or more values. Syntax: Description: In comparison-expressions, the literal number or string value of a field. Syntax: Description: The name of a field. Comparison expressions with greater than or less than operators = numerically compare two numbers and lexicographically compare other values. Comparison expressions with the equal ( = ) or not equal ( != ) operator compare string values. Comparison expression options Syntax: = | != | | >= Description: You can use comparison operators when searching field/value pairs. Description: Describe the format of the starttime and endtime terms of the search. Syntax: "" | | Description: Describe the events you want to retrieve from the index using literal strings and search modifiers. Logical expression options Syntax: | IN () Description: Compare a field to a literal value or provide a list of values that can appear in the field. Specifying clientip=192.0.2.255 is the same as clientip=192.0.2.255 AND So unless you want to include it for clarity reasons, you do not need to specify the AND operator. For example, web error is the same as web AND error. The AND operator is always implied between terms and expressions. Use Boolean expressions, comparison operators, time modifiers, search modifiers, or combinations of expressions for this argument. Required arguments Syntax: | | | NOT | | | Description: Includes all keywords or field-value pairs used to describe the events to retrieve from the index. The search command supports IPv4 and IPv6 addresses and subnets that use CIDR notation. Use the vertical bar ( | ), or pipe character, to apply a command to the retrieved events. See about subsearches in the Search Manual.Īfter you retrieve events, you can apply commands to transform, filter, and report on the events. The search command can also be used in a subsearch. You can also use the search command later in the search pipeline to filter the results from the previous command in the pipeline. You do not need to specify the search command at the beginning of your search criteria. The search command is implied at the beginning of any search. You can retrieve events from your indexes, using keywords, quoted phrases, wildcards, and field-value expressions. Use the search command to retrieve events from indexes or filter the results of a previous search command in the pipeline.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |