Run an SPL2 search in the Search bar

Use the Search bar to run standalone, ad hoc SPL2 searches that you don't plan to reuse.

You can use the Search bar in the Search & Reporting app to write and run SPL2 searches. The Search bar is ideal for standalone searches that you don't plan to reuse.

Note: If you want to reuse this search in subsequent searches, share it with other users on the same Splunk platform deployment, or import and use resources from other searches, then you must use the SPL2 module editor instead of the Search bar. For more information, see Create an SPL2 module.
  1. From the Splunk Home page, select Search & Reporting in the Apps panel.
  2. On the Search page, set the language picker to SPL2.
  3. In the Search bar, enter your search using SPL2.

    The following are a few examples of valid SPL2 searches. SPL2 supports SPL-like syntax through the search command, and SQL-like syntax through the from command.

    Example scenarioSPL-like syntaxSQL-like syntax

    Search an index named main.

    		 
    index=main
    		 
    SELECT * FROM main

    Search an index named main, and filter the data for events where the value of the status field is 200 and the value of the host field is www2. In the search results, only include the fields named _time, _raw, productId, and categoryId.

    		 
    index=main status=200 host=www2 | fields _time, productId, categoryId
    		 
    SELECT _time, _raw, productId, categoryId FROM main WHERE status=200 AND host="www2"

    Search an index named main, and return the total value of the bytes field for each distinct clientip value in the data. In addition to the aggregated bytes values and the clientip field, also include the _time and _raw fields.

    		 
    index=main | stats sum(bytes) by clientip
    		 
    SELECT _time, _raw, clientip, sum(bytes) FROM main GROUP BY clientip
    Be aware of the following:

    • When you use SPL-like syntax in the Search bar, if the first expression in your search is anything other than an index expression in the format index=<index_name>, you must include the search command at the beginning of the search. For example, instead of 404 index=error_logs, you must enter search 404 index=error_logs.

    • If you run a search that drops the _time field or the _raw field from your search results, then the Timeline and Events viewer elements of the Search page will not display as expected. For examples of searches that can prevent or cause this issue, see Drop event fields.

  4. To run your search, do the following:
    1. Confirm that the time range picker is set to an appropriate time range for your search.
    2. Select the Search icon (This image shows an icon with a magnifying glass.) or select Enter.

Your search results appear on the page.

For more information about how to write SPL2 searches, see the following documentation: