The Meta-data is generally the first command of the search. As a best practice, we should include 4 fields always in the first line of the query. This is not mandatory but adding them is always better from Splunk search perspective.
1. INDEX: the repository of Splunk where your data resides. 2. HOST : this is the server name on which your logs are hosted. 3. SOURCETYPE: A source type determines how the Splunk platform formats the data during the indexing process. A sourcetype describes a kind of data. 4. SOURCE : this is the exact log file on which you want to search. 5. Time : the timeframe for which you are searching the query.
Keyword/Phrase:
Search for 1 word keywords as error. Search for multi word phrase as “Web Error”. Note that It is different than “Web” and “Error”. It will only show data where Web Error exist in continuation.
Boolean/Operation:
* OR: When you want to include either of the two keywords. E.g.: “Error” OR “Exception” * AND: When you want to include both the two given keywords. E.g.: “Error” AND “Exception” * NOT: When you want to exclude a particular keyword. E.g.: NOT “Success”
Note: These Boolean operator can be used in combinations as well. E.g.: (“Error” OR “Exception”) NOT “Success”
Wildcards:
Wildcards are used when we are not sure of the complete syntax. It is also used to include all similar entities. In Splunk, wildcards are denoted by *. E.g.: We have a set of 10 log file named as server1.log, server2.log, server3.log etc., we can include all 10 files by writing “server*.log”.
Note: Wildcard can be used anywhere in the keyword, but it is recommended not to use at the beginning.
Comparison:
Splunk also allows comparative expressions to compare two set of values. The different comparative keyword are: =, !=, <, <=, >, >=
