Splunk Recipes: Difference between revisions
Jump to navigation
Jump to search
Line 32: | Line 32: | ||
sourcetype=access_* status=200 action=purchase | sourcetype=access_* status=200 action=purchase | ||
</pre> | </pre> | ||
==Not Equals== | ==Not Equals== | ||
Use "!=". | Use "!=". | ||
==Boolean Operators== | |||
===OR=== | |||
<pre> | |||
(error OR fail* OR severe) OR (status=404 OR status=500 OR status=503) | |||
</pre> |
Revision as of 16:24, 21 September 2016
Internal
Searching with Fields
For more details on Splunk Fields fundamentals see Splunk Concepts - Fields.
When searching for a specific field, use the following syntax:
field_name="field value"
Field names are case sensitive. Field values are not case sensitive.
Quotation marks are required when the field values include spaces.
Wildcards can be used in field values:
field_name="prefix*"
Search Syntax
Expression involving fields are explained above in Searching with Fields.
The logical AND is the implicit logical operator between expressions involving fields:
sourcetype=access_* status=200 action=purchase
Not Equals
Use "!=".
Boolean Operators
OR
(error OR fail* OR severe) OR (status=404 OR status=500 OR status=503)