The Search Cave • Room 2

Basic Search Syntax

Searches in Splunk are written in SPL (Search Processing Language). The start of your search determines what data you retrieve. Always start with an index, a sourcetype, or a host.

Keywords are case-insensitive, but field names, field values, and boolean operators (AND, OR, NOT) are case-sensitive.

Use the wildcard (*) to match part of a word or value.

Example Search

index=web_logs status=200 action=purchase*

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

Which of these is case-sensitive in SPL?

AKeywords

BBoolean operators (AND, OR)

CCommand names

DAll of the above