Database Reference
In-Depth Information
look for date_wday="wednesday" , we are looking for a specific value in a specific field,
so we need to specify the field we are looking for as well as the value. It is a good idea to
put the search term in quotes, but this is only required if the text you are searching for
contains whitespaces or special characters.
The next search will show the difference between using the implied AND and specifying
OR in a search. This is important to understand as you continue to learn about searching
in Splunk:
1. Suppose that you want to try to track down all instances of failed passwords that
were coming into the system.
2. Click on the Splunk icon in the top left-hand corner of the screen to go back to the
home page.
3. If you type in the word fail , you might be surprised when you get no results.
The reason for this is that if you just type in fail , it looks only for that, and if it
does not find those specific letters, followed by a space, it will not return any-
thing. So, it will miss failed or any other version of fail that you might think
it would pick up.
4. Now type in fail* and search and you will get a different result. This time,
you'll see thousands of events that show failed . Since you are interested spe-
cifically in failed passwords, you decide to search on the term failed pass-
word . Note the number of events in the upper left-hand corner.
Note
There is an implied AND when you do a search in Splunk. To get results for two
different terms, be sure to use OR.
5. Imagine that you want to look at the events where there was a failed password for
users myuan and harrison . If you put in failed password myuan harrison ,you
will get no results because of the implied AND (you cannot have a user who is
both myuan and harrison at the same time). But if you put an OR between myuan
and harrison, that is, failed password myuan OR harrison , Splunk returns all
results for failed passwords for either user.
Note
If, for some reason, you get no results for either of these users, it probably means
that the fictional users had no events. In this case, just do a simple search on the
Search WWH ::




Custom Search