nationsite.blogg.se - Splunk search examples

You can specify an absolute or relative time, including a snap-to expression index-expression Syntax: "" | | Description: Use to describe the events you want to retrieve from the index using literal strings and search modifiers. You can specify an absolute or relative time, including a snap-to events must be earlier or equal to this time. You can specify an exact time such as earliest=":20:00:00", or a relative time such as earliest=-h or modifierĮvents must be later or equal to this time.Īll events must be earlier or equal to this time. Use the earliest and latest modifiers to specify custom and relative time ranges. If the current time is 3 P.M., the search returns events from the last 60 minutes, or 2 P.M. For example, a relative time range of -60m means 60 minutes ago.

A relative time range is dependent on when the search is run.

An absolute time range uses specific dates and times, for example, from 12 A.M.

Use the to specify start and end times using absolute or relative times. The is optional, and if not specified the default format is %m/%d/%Y:%H:%M:%S. Description: Describes the format of the start and end time of the search. Time expression time-expression Syntax: (). If you search using | search TERM(127.0.0.1) the search treats the IP address as a single term, instead of individual numbers. If you search for the IP address using | search 127.0.0.1 the search is converted into | search 127 AND 0 AND 1 which returns events that contain those numbers anywhere in the event. For example, the IP address 127.0.0.1 contains the period (. The must have been bound by major segmenters, such as spaces or commas, before it was indexed. Use the TERM directive to ignore the minor segmenters and match whatever is inside the parentheses as a single term. TERM Syntax: TERM() Description: When data is indexed, characters such as periods and underscores are recognized as minor segmenters between terms. CASE(error) will return only that specific case of the term. Use the CASE directive to perform case-sensitive matches for terms and field values. If you search for Error, any case of that term is returned such as Error, error, and ERROR. CASE Syntax: CASE() Description: By default searches are case-insensitive. ) Description: Used with the IN operator to specify two or more values. value Syntax: Description: In comparison-expressions, the literal number or string value of a field.

field Syntax: Description: The name of a field. You can use the CASE() or TERM() directives to perform an exact match for a term. Valid comparison operators are: =, !=,, and >=.

Comparisons with greater than or less than operators, including = numerically compare two numbers and lexicographically compare other values. Comparison expressions with the equal ( = ) or not equal ( != ) operator compare string values. You can use comparison operators when searching for field/value pairs. For example, you can specify categoryID="accessories" or bytes>3900 or status IN (400,403,404). You can also specify field name and the IN keyword followed by a list of values enclosed in parentheses. Comparison expression comparison-expression Syntax: ( ) | IN () Description: You can specify a field name and a comparison operator, such as equal to ( = ) or greater than ( > ), followed by the literal number or string value of a field. ) or spaces, you must enclose the word or phrase in double quotation marks. If the string, number, or phrase contains any characters like periods (. For example you can specify a word such as error, a number such as 404, or a phrase such as "time limit". Literal expression literal-expression Syntax: | "") Description: You can search for string values, number values, or phrases in your data. Examples of how you can use these operators are:

The supported operators are AND, OR, and NOT. You can use Boolean operators to specify more than one. You can use logical expressions by using IN, AND, OR, or NOT comparisons in your.

Search Required arguments search-expression Syntax: | | | Description: The can be a word or phrase, a field-value comparison, a list of values, or a group of search expressions.