Day 3: Search Basics

What You Will Learn Today

• SPL syntax fundamentals
• Keyword search and field search
• Specifying time ranges
• Pipes and command chaining
• Essential commands: table, fields, rename, sort, dedup

---

SPL Syntax Fundamentals

SPL (Search Processing Language) is Splunk's query language.

search terms | command1 | command2 | command3

flowchart LR
    Search["Search Terms<br>Filter events"]
    Cmd1["Command 1<br>Transform data"]
    Cmd2["Command 2<br>Aggregate / filter"]
    Cmd3["Command 3<br>Format output"]
    Search -->|"|"| Cmd1 -->|"|"| Cmd2 -->|"|"| Cmd3
    style Search fill:#3b82f6,color:#fff
    style Cmd1 fill:#22c55e,color:#fff
    style Cmd2 fill:#f59e0b,color:#fff
    style Cmd3 fill:#8b5cf6,color:#fff

The Two Phases of a Search

Phase	Description	Example
Search phase	Retrieves events from the index	index=main ERROR
Transform phase	Processes data after the pipe	`

Performance tip: Specify as many conditions as possible in the search phase to reduce the number of events that need processing.

---

Keyword Search

Basic Search

error

Searches all indexes for events containing "error" (case-insensitive).

AND / OR / NOT

error AND login
error OR warning
error NOT timeout

# AND is implicit -- terms separated by spaces are ANDed together
error login

Wildcards

fail*          # fail, failed, failure, ...
*exception*    # NullPointerException, ...

Exact Match (Quotes)

"failed login attempt"    # Search for the entire phrase
"status=404"              # Exact match

---

Field Search

You can search by specifying field names directly.

index=main
index=main sourcetype=syslog
index=main host=web-server-01
index=main status=500
index=main user=alice action=login

Field Comparison Operators

status=200          # Equal to
status!=200         # Not equal to
status>400          # Greater than
status>=400         # Greater than or equal to
status<300          # Less than
status<=299         # Less than or equal to

Specifying Multiple Values

# Using OR
status=404 OR status=500 OR status=503

# Using IN (recommended)
status IN (404, 500, 503)

---

Time Ranges

Time Picker

The Web UI provides a visual time picker for setting the search window.

Specifying Time in SPL

index=main earliest=-1h            # Last hour
index=main earliest=-24h latest=now # Last 24 hours
index=main earliest=-7d@d          # Last 7 days (snapped to day boundary)
index=main earliest="01/30/2026:00:00:00"  # Absolute time

Time Modifiers

Modifier	Unit	Example
s	Seconds	-30s
m	Minutes	-15m
h	Hours	-1h
d	Days	-7d
w	Weeks	-1w
mon	Months	-1mon
@	Snap (round down)	-1d@d (midnight yesterday)

Snap Examples

earliest=-1d@d latest=@d    # All of yesterday
earliest=@w0                # Since Sunday of this week
earliest=-1mon@mon          # Since the first of last month

---

Essential Commands

table

Displays specified fields in a tabular format.

index=main sourcetype=access_combined
| table _time, clientip, method, uri, status

fields

Limits which fields are retained (also improves performance).

index=main
| fields host, source, sourcetype, _time

# Exclude specific fields
index=main
| fields - _raw, _time

Command	Purpose	Key Difference
table	Format output as a table	Controls display order and layout
fields	Select or exclude fields	Optimizes performance by reducing data

rename

Renames fields.

index=main
| rename clientip AS "Client IP", status AS "Status Code"
| table "Client IP", "Status Code"

sort

Sorts results.

# Ascending (default)
index=main
| table _time, status
| sort status

# Descending
index=main
| table _time, status
| sort -status

# Multiple fields
index=main
| table host, status, _time
| sort host, -status

# Top N results
index=main
| sort 10 -status

dedup

Removes duplicate events.

# Keep only the latest event per host
index=main
| dedup host
| table host, _time, status

# Deduplicate on multiple fields
index=main
| dedup host, status
| table host, status, _time

head / tail

Returns the first or last N events.

index=main
| head 10     # First 10 events

index=main
| tail 5      # Last 5 events

---

Search Modes

Mode	Description	Use Case
Fast	Minimizes field discovery	Checking event counts quickly
Smart	Automatic optimization	General use (default)
Verbose	Extracts all fields	Exploring available fields

Recommendation: Use Smart mode for everyday searches, and switch to Fast mode when you need better performance.

---

Search Best Practices

flowchart TB
    subgraph Best["Search Optimization Tips"]
        Time["Narrow the time range<br>earliest=-1h"]
        Index["Specify the index<br>index=main"]
        Fields["Filter on fields<br>status=500"]
        Limit["Limit results<br>head 100"]
    end
    Time --> Index --> Fields --> Limit
    style Time fill:#22c55e,color:#fff
    style Index fill:#22c55e,color:#fff
    style Fields fill:#f59e0b,color:#fff
    style Limit fill:#f59e0b,color:#fff

1. Narrow the time range as much as possible
2. Always specify index in your search
3. Filter early using keywords and fields
4. Use the fields command to drop unnecessary fields
5. Use head to limit results while developing queries

---

Hands-On: Analyzing Web Access Logs

# 1. Search for error events
index=main sourcetype=access_combined status>=400

# 2. Display errors in a table sorted by time
index=main sourcetype=access_combined status>=400
| table _time, clientip, method, uri, status
| sort -_time

# 3. Count events by status code
index=main sourcetype=access_combined
| stats count by status
| sort -count

# 4. Show unique URIs
index=main sourcetype=access_combined status=200
| dedup uri
| table uri
| sort uri

# 5. Display the last 100 access logs with renamed columns
index=main sourcetype=access_combined
| head 100
| table _time, clientip, method, uri, status
| rename clientip AS "IP", method AS "Method", uri AS "URI", status AS "Status"

---

Summary

Concept	Description
Keyword search	Find events containing specific text
Field search	Filter with field=value
AND / OR / NOT	Boolean operators
IN	Match against multiple values
Pipe (|)	Chain commands together
table	Display results in tabular format
fields	Select or exclude fields
sort	Order results
dedup	Remove duplicates
head / tail	Limit result count

Key Takeaways

1. Always specify index to improve search performance
2. Field searches are more efficient than keyword searches
3. Use pipes to process data in stages
4. Narrow the time range to reduce search cost

---

Exercises

Exercise 1: Basic

Search index=main for events from the last 24 hours and display _time, host, and sourcetype in a table.

Exercise 2: Applied

Search for events with status codes 400 or above, deduplicate by clientip, and display a sorted list of unique IP addresses.

Challenge

Write an SPL query that retrieves only the most recent event per host from the last 7 days, displaying host, _time, and sourcetype in a table.

---

References

• Splunk - Search Reference
• Splunk - Search Best Practices
• Splunk - Time Modifiers

---

Next up: In Day 4, you will learn about fields and filtering -- using eval, where, and rex to transform and filter your data.