When the search command is used further down the pipeline, it is a distributable streaming command. The search command is an event-generating command when it is the first command in the search, before the first pipe. endtime Syntax: endtime= Description: All events must be earlier or equal to this time.
starttime Syntax: starttime= Description: Events must be later or equal to this time. For more about this time modifier syntax, see Specify time modifiers in your search in the Search Manual. You can also use the earliest and latest attributes to specify absolute and relative time ranges for your search. Syntax: starttime= | endtime= | earliest= | latest= Description: Specify start and end times using relative or absolute time. Syntax: timeformat= Description: Set the time format for starttime and endtime terms. Time optionsįor a list of time modifiers, see Time modifiers for search. Syntax: splunk_server= Description: Search for events from a specific server. Syntax: source= Description: Search for events from the specified source field. Syntax: savedsearch= | savedsplunk= Description: Search for events that would be found by the specified saved search. Syntax: eventtypetag= Description: Search for events that would match all eventtypes tagged by the string. Syntax: eventtype= Description: Search for events that match the specified event type. Syntax: hosttag= Description: Search for events that have hosts that are tagged by the string. Syntax: host= Description: Search for events from the specified host field. Syntax: sourcetype= Description: Search for events from the specified sourcetype field. Read more about using tags and field aliases in the Knowledge Manager manual.Read more about searching with default fields in the Knowledge Manager manual.Also, search for the field tag, with the format: tag::=. For example, search for one or a combination of hosts, sources, source types, saved searches, and event types. Syntax: | | | | | | | Description: Search for events from specified fields or field tags.
#WINDOWS 10 BOOLEAN SEARCH OPERATORS SOFTWARE#
When searching for strings and quoted strings (anything that's not a search modifier), Splunk software searches the _raw field for the matching events or results. For example use error IN (400, 402, 404, 406) instead of error=400 OR error=402 OR error=404 OR error=406 Index expression options Syntax: "" Description: Specify keywords or quoted phrases to match. ) Description: Used with the IN operator to specify two or more values. Syntax: Description: In comparison-expressions, the literal number or string value of a field. Syntax: Description: The name of a field. Comparison expressions with greater than or less than operators = numerically compare two numbers and lexicographically compare other values. Comparison expressions with the equal ( = ) or not equal ( != ) operator compare string values. Comparison expression options Syntax: = | != | | >= Description: You can use comparison operators when searching field/value pairs. Description: Describe the format of the starttime and endtime terms of the search. Syntax: "" | | Description: Describe the events you want to retrieve from the index using literal strings and search modifiers. Logical expression options Syntax: | IN () Description: Compare a field to a literal value or provide a list of values that can appear in the field. Specifying clientip=192.0.2.255 is the same as clientip=192.0.2.255 AND So unless you want to include it for clarity reasons, you do not need to specify the AND operator.
For example, web error is the same as web AND error. The AND operator is always implied between terms and expressions. Use Boolean expressions, comparison operators, time modifiers, search modifiers, or combinations of expressions for this argument.
Required arguments Syntax: | | | NOT | | | Description: Includes all keywords or field-value pairs used to describe the events to retrieve from the index. The search command supports IPv4 and IPv6 addresses and subnets that use CIDR notation. Use the vertical bar ( | ), or pipe character, to apply a command to the retrieved events. See about subsearches in the Search Manual.Īfter you retrieve events, you can apply commands to transform, filter, and report on the events. The search command can also be used in a subsearch. You can also use the search command later in the search pipeline to filter the results from the previous command in the pipeline. You do not need to specify the search command at the beginning of your search criteria. The search command is implied at the beginning of any search. You can retrieve events from your indexes, using keywords, quoted phrases, wildcards, and field-value expressions. Use the search command to retrieve events from indexes or filter the results of a previous search command in the pipeline.
0 kommentar(er)
