QUICK REFERENCE GUIDE

This guide describes key concepts and Use the Field Extractor tool to automatically Aler ts
features, as well as commonly used generate and validate field extractions at search-
time using regular expressions or delimiters such Alerts are triggered when search results meet
commands and functions for Splunk as spaces, commas, or other characters. specific conditions. You can use alerts on
Cloud and Splunk Enterprise. historical and real-time searches. Alerts can be
Tags configured to trigger actions such as sending
Concepts A tag is a knowledge object that enables you to
alert information to designated email addresses
or posting alert information to a web resource
Events search for events that contain particular field

An event is a set of values associated with a

values. You can assign one or more tags to any
field/value combination, including event types,
Additional Features
timestamp. It is a single entry of data and can hosts, sources, and source types. Use tags to Datasets
have one or multiple lines. An event can be a group related field values together, or to track
text document, a configuration file, an entire abstract field values such as IP addresses or ID Splunk allows you to create and manage
stack trace, and so on. This is an example of an numbers by giving them more descriptive names. different kinds of datasets, including lookups,
event in a web activity log: data models, and table datasets. Table datasets
173.26.34.223 - - [01/ Index-Time and Search -Time are focused, curated collections of event data
Mar/2021:12:05:27 -0700] “GET /trade/ that you design for a specific business purpose.
During index-time processing, data is read from You can define and maintain powerful table
app?action=logout HTTP/1.1” 200 2953 a source on a host and is classified into a source datasets with Table Views, a tool that translates
You can also define transactions to search for type. Timestamps are extracted, and the data sophisticated search commands into simple UI
and group together events that are conceptually is parsed into individual events. Line-breaking editor interactions. It’s easy to use, even if you
related but span a duration of time. Transactions rules are applied to segment the events to have minimal knowledge of Splunk SPL.
can represent a multistep business-related display in the search results. Each event is
activity, such as all events related to a single written to an index on disk, where the event is Data Model
customer session on a retail website. later retrieved with a search request.
A data model is a hierarchically-organized
Metrics When a search starts, referred to as search-time, collection of datasets. You can reference
indexed events are retrieved from disk. Fields entire data models or specific datasets within
A metric data point consists of a timestamp and are extracted from the raw text for the event. data models in searches. In addition, you can
one or more measurements. It can also contain apply data model acceleration to data models.
dimensions. A measurement is a metric name Indexes Accelerated data models offer dramatic gains
and corresponding numeric value. Dimensions When data is added, Splunk software parses in search performance, which is why they are
provide additional information about the the data into individual events, extracts the often used to power dashboard panels and
measurements. Sample metric data point: timestamp, applies line-breaking rules, and essential on-demand reports.
Timestamp: 08-05-2020 16:26:42.025 stores the events in an index. You can create new
-0700 indexes for different inputs. By default, data is Apps
Measurement: metric_name:os.cpu. stored in the “main” index. Events are retrieved
user=42.12, metric_name:max.size. Apps are a collection of configurations,
kb=345 from one or more indexes during a search. knowledge objects, and customer designed
Dimensions: hq=us-west-1, views and dashboards. Apps extend the
group=queue, name=azd Core Features Splunk environment to fit the specific needs of
Metric data points and events can be organizational teams such as Unix or Windows
Repor ts system administrators, network security
searched and correlated together, but are
stored in separate types of indexes. Search is the primary way users navigate specialists, website managers, business
data in Splunk software. You can write a analysts, and so on. A single Splunk Enterprise
Hos t , Source, and Source Type search to retrieve events from an index, use or Splunk Cloud installation can run multiple
statistical commands to calculate metrics apps simultaneously.
A host is the name of the physical or virtual and generate reports, search for specific
device where an event originates. It can be used conditions within a rolling time window, Dis tributed Search
to find all data originating from a specific device. identify patterns in your data, predict future
A source is the name of the file, directory, data A distributed search provides a way to scale
trends, and so on. You transform the events your deployment by separating the search
stream, or other input from which a particular using the Splunk Search Process Language
event originates. Sources are classified into management and presentation layer from the
(SPL™). Searches can be saved as reports indexing and search retrieval layer. You use
source types, which can be either well known
and used to power dashboards. distribute search to facilitate horizontal scaling
formats or formats defined by the user. Some
common source types are HTTP web server for enhanced performance, to control access
Repor ts to indexed data, and to manage geographically
logs and Windows event logs.
Reports are saved searches. You can run dispersed data.
Events with the same source types can come reports on an ad hoc basis, schedule reports
from different sources. For example, events from to run on a regular interval, or set a scheduled System Components
the file source=/var/log/messages and from report to generate alerts when the results meet
a syslog input port source=UDP:514 often share particular conditions. Reports can be added to For warder s
the source type, sourcetype=linux _ syslog. dashboards as dashboard panels. A Splunk instance that forwards data to another
Fields Splunk instance is referred to as a forwarder.
Dashboards
Fields are searchable name and value pairings Dashboards are made up of panels that contain
Indexer
that distinguish one event from another. Not modules such as search boxes, fields, and data
all events have the same fields and field values. An indexer is the Splunk instance that indexes
visualizations. Dashboard panels are usually data. The indexer transforms the raw data into
Using fields, you can write tailored searches connected to saved searches. They can display
to retrieve the specific events that you want. events and stores the events into an index.
the results of completed searches, as well as The indexer also searches the indexed data in
When Splunk software processes events at data from real-time searches.
index-time and search-time, the software response to search requests. The search peers
extracts fields based on configuration file are indexers that fulfill search requests from the
definitions and user-defined patterns. search head.
 QUICK REFERENCE GUIDE

Search Head The search “error earliest=-1d@d latest=-

h@h” retrieves events containing “error” that Common Search Commands
In a distributed search environment, the search occurred yesterday snapping to the beginning
head is the Splunk instance that directs search of the day (00:00:00) and through to the most Command Description
requests to a set of search peers and merges recent hour of today, snapping on the hour.
Returns results in a tabular
the results back to the user. If the instance chart/
The snap to time unit rounds the time down. For output for (time-series)
does only search and not indexing, it is usually timechart
example, if it is 11:59:00 and you snap to hours charting.
referred to as a dedicated search head.
(@h), the time used is 11:00:00 not 12:00:00. You Removes subsequent
Search Processing can also snap to specific days of the week using
@w0 for Sunday, @w1 for Monday, and so on.
dedup results that match a
specified criterion.
Language (SPL) Calculates an expression.
Subsearches
A Splunk search is a series of commands and eval See COMMON EVAL
arguments. Commands are chained together A subsearch runs its own search and returns FUNCTIONS.
with a pipe “|” character to indicate that the the results to the parent command as the Removes fields from
output of one command feeds into the next argument value. The subsearch is run first and fields
search results.
command on the right. is contained in square brackets. For example,
Returns the first/last N
the following search uses a subsearch to find head/tail
search | command1 arguments1 | results.
command2 arguments2 | ... all syslog events from the user that had the last
login error: Adds field values from an
lookup
At the start of the search pipeline, is an external source.
implied search command to retrieve events sourcetype=syslog [ search login
error | return 1 user ] Renames a field. Use
from the index. Search requests are written rename wildcards to specify
with keywords, quoted phrases, Boolean Optimizing Searches multiple fields.
expressions, wildcards, field name/value pairs, Specifies regular
and comparison expressions. The AND operator The key to fast searching is to limit the data rex expression named groups
is implied between search terms. For example: that needs to be pulled off disk to an absolute to extract fields.
minimum. Then filter that data as early as
sourcetype=access _ combined error | Filters results to those
possible in the search so that processing is
top 5 uri search that match the search
done on the minimum data necessary. expression.
This search retrieves indexed web activity events
Partition data into separate indexes, if you will Sorts the search results by
that contain the term “error”. For those events, it
rarely perform searches across multiple types sort
returns the top 5 most common URI values. the specified fields.
of data. For example, put web data in one index,
Provides statistics,
Search commands are used to filter unwanted and firewall data in another. grouped optionally by
events, extract more information, calculate stats
Limit the time range to only what is needed. For fields. See COMMON
values, transform, and statistically analyze STATS FUNCTIONS.
example -1h not -1w, or earliest=-1d.
the indexed data. Think of the search results
Similar to stats but used on
retrieved from the index as a dynamically Search as specifically as you can. For example, mstats
metrics instead of events.
created table. Each indexed event is a row. fatal _ error not *error*
The field values are columns. Each search Specifies fields to keep in
command redefines the shape of that table. Use post-processing searches in dashboards. table the result set. Retains data
For example, search commands that filter in tabular format.
Use summary indexing, and report and data
events will remove rows, search commands model acceleration features. Displays the most/least
top/rare
that extract fields will add columns. common values of a field.
Machine Learning Capabilities
Groups search results into
Time Modif ier s transaction
Splunk’s Machine Learning capabilities are transactions.
You can specify a time range to retrieve events integrated across our portfolio and embedded Filters search results using
inline with your search by using the latest in our solutions through offerings such as the eval expressions. Used
and earliest search modifiers. The relative where
Splunk Machine Learning Toolkit, Streaming to compare two different
times are specified with a string of characters ML framework, and the Splunk Machine fields.
to indicate the amount of time (integer and Learning Environment.
unit) and an optional “snap to” time unit.
The syntax is: SPL2
[+|-]<integer><unit>@<snap _ time _ Several Splunk products use a new version
unit> of SPL, called SPL2, which makes the search
language easier to use, removes infrequently
used commands, and improves the
consistency of the command syntax.
See the SPL2 Search Reference.

Explore our full suite of products, or investigate the table below to find the specific starting point for your journey.
Or dive right in: Download the free trial and see for yourself what the Splunk platform can do for your data strategy.

Learn more: docs.splunk.com www.splunk.com

Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and
other countries. All other brand names, product names or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved. 21-17506-Splunk-QuickReferenceGuide-121
 QUICK REFERENCE GUIDE

The eval command calculates an expression and puts the resulting value into a field (e.g. “...| eval
force = mass * acceleration”). The following table lists some of the functions used with the eval
Common Eval Functions command. You can also use basic arithmetic operators (+ - * / %), string concatenation (e.g., “...|
eval name = last . “,” . first”), and Boolean operations (AND OR NOT XOR < > <= >= != = == LIKE).
Function Description Examples
abs(X) Returns the absolute value of X. abs(number)
Takes pairs of arguments X and Y, where X arguments are case(error == 404, "Not found", error ==
case(X,"Y",…) Boolean expressions. When evaluated to TRUE, the arguments
return the corresponding Y argument.
500,"Internal Server Error", error == 200, "OK")

ceil(X) Ceiling of a number X. ceil(1.9)

cidrmatch("X",Y) Identifies IP addresses that belong to a particular subnet. cidrmatch("123.132.32.0/25",ip)
coalesce(X,…) Returns the first value that is not null. coalesce(null(), "Returned val", null())
cos(X) Calculates the cosine of X. n=cos(0)
Evaluates an expression X using double precision floating point
exact(X) exact(3.14*num)
arithmetic.
exp(X) Returns eX. exp(3)
If X evaluates to TRUE, the result is the second argument Y. If X
if(X,Y,Z) if(error==200, "OK", "Error")
evaluates to FALSE, the result evaluates to the third argument Z.
in(field,value- Returns TRUE if a value in “value-list” matches a value in “field”.
if(in(status, “404”,”500”,”503”),”true”,”false”)
list) You must use the “in” function inside the “if” function.
isbool(X) Returns TRUE if X is Boolean. isbool(field)
isint(X) Returns TRUE if X is an integer. isint(field)
isnull(X) Returns TRUE if X is NULL. isnull(field)
isstr() Returns TRUE if X is a string. isstr(field)
len(X) This function returns the character length of a string X. len(field)
like(X,"Y") Returns TRUE if and only if X is like the SQLite pattern in Y. like(field, "addr%")
Returns the log of the first argument X using the second
log(X,Y) argument Y as the base. Y defaults to 10.
log(number,2)

lower(X) Returns the lowercase of X. lower(username)

Returns X with the characters in Y trimmed from the left side. Y
ltrim(X,Y) defaults to spaces and tabs.
ltrim(" ZZZabcZZ ", " Z")

match(X,Y) Returns if X matches the regex pattern Y. match(field, "^\d{1,3}\.\d$")

max(X,…) Returns the maximum. max(delay, mydelay)
md5(X) Returns the MD5 hash of a string value X. md5(field)
min(X,…) Returns the minimum. min(delay, mydelay)
mvcount(X) Returns the number of values of X. mvcount(multifield)
mvfilter(X) Filters a multi-valued field based on the Boolean expression X. mvfilter(match(email, "net$"))

mvindex(X,Y,Z) Returns a subset of the multivalued field X from start position

(zero-based) Y to Z (optional).
mvindex(multifield, 2)

Given a multi-valued field X and string delimiter Y, and joins the

mvjoin(X,Y) individual values of X using Y.
mvjoin(address, ";")

now() Returns the current time, represented in Unix time. now()

null() This function takes no arguments and returns NULL. null()
Given two arguments, fields X and Y, and returns the X if the
nullif(X,Y) arguments are different. Otherwise returns NULL.
nullif(fieldA, fieldB)

Returns a pseudo-random number ranging from 0 to

random() 2147483647.
random()

relative _ Given epochtime time X and relative time specifier Y, returns

relative _ time(now(),"-1d@d")
time (X,Y) the epochtime value of Y applied to X.
Returns date with the month and day numbers
Returns a string formed by substituting string Z for every switched, so if the input was 4/30/2021 the
replace(X,Y,Z) return value would be 30/4/2021: replace(date,
occurrence of regex string Y in string X.
"^(\d{1,2})/(\d{1,2})/", "\2/\1/")
 QUICK REFERENCE GUIDE

Common Eval Functions (continued)

Function Description Examples
Returns X rounded to the amount of decimal places specified
round(X,Y) by Y. The default is to round to an integer.
round(3.5)

Returns X with the characters in Y trimmed from the right side.

rtrim(X,Y) If Y is not specified, spaces and tabs are trimmed.
rtrim(" ZZZZabcZZ ", " Z")

split(X,"Y") Returns X as a multi-valued field, split by delimiter Y. split(address, ";")

sqrt(X) Returns the square root of X. sqrt(9)
Returns epochtime value X rendered using the format specified
strftime(X,Y) by Y.
strftime( _ time, "%H:%M")

strptime(X,Y) Given a time represented by a string X, returns value parsed

from format Y.
strptime(timeStr, "%H:%M")

Returns a substring field X from start position (1-based) Y for Z

substr(X,Y,Z) (optional) characters.
substr("string", 1, 3)

time() Returns the wall-clock time with microsecond resolution. time()

Converts input string X to a number, where Y (optional, defaults
tonumber(X,Y) to 10) defines the base of the number to convert to.
tonumber("0A4",16)

Returns a field value of X as a string. If the value of X is a

number, it reformats it as a string. If X is a Boolean value,,
reformats to "True" or "False". If X is a number, the second This example returns: foo=615 and foo2=00:10:15:
tostring(X,Y) argument Y is optional and can either be "hex" (convert X … | eval foo=615 | eval foo2 = tostring(foo,
to hexadecimal), "commas" (formats X with commas and 2 “duration”)
decimal places), or "duration" (converts seconds X to readable
time format HH:MM:SS).
This example returns: “NumberStringBoolInvalid”:
typeof(X) Returns a string representation of the field type.
typeof(12)+ typeof(“string”)+
urldecode("https%3A%2F%2Fsummer-heart-0930.chufeiyun1688.workers.dev%3A443%2Fhttp%2Fwww.splunk.
urldecode(X) Returns the URL X decoded.
com%2Fdownload%3Fr%3Dheader")
Given pairs of arguments, Boolean expressions X and strings Y, validate(isint(port), "ERROR: Port is not an
validate| integer", port >= 1 AND port <= 65535, "ERROR:
returns the string Y corresponding to the first expression X that
(X,Y,…) evaluates to False and defaults to NULL if all are True. Port is out of range")

Common statistical functions used with the chart, stats, and timechart commands. Field names
Common Stats Functions can be wildcarded, so avg(*delay) might calculate the average of the delay and xdelay fields.
avg(X) Returns the average of the values of field X.

count(X) Returns the number of occurrences of the field X. To indicate a specific field value to match, format X as eval(field="value").

dc(X) Returns the count of distinct values of the field X.

earliest(X) Returns the chronologically earliest seen value of X.

latest(X) Returns the chronologically latest seen value of X.

max(X) Returns the maximum value of the field X. If the values of X are non-numeric, the max is found from alphabetical ordering.

median(X) Returns the middle-most value of the field X.

min(X) Returns the minimum value of the field X. If the values of X are non-numeric, the min is found from alphabetical ordering.

mode(X) Returns the most frequent value of the field X.

perc<X>(Y) Returns the X-th percentile value of the field Y. For example, perc5(total) returns the 5th percentile value of a field "total".

range(X) Returns the difference between the max and min values of the field X.

stdev(X) Returns the sample standard deviation of the field X.

stdevp(X) Returns the population standard deviation of the field X.

sum(X) Returns the sum of the values of the field X.

sumsq(X) Returns the sum of the squares of the values of the field X.

values(X) Returns the list of all distinct values of the field X as a multi-value entry. The order of the values is alphabetical.

var(X) Returns the sample variance of the field X.

 QUICK REFERENCE GUIDE

Search Examples
Filter Results Reporting (cont.)
Returns X rounded to the amount Return the average for each hour,
of decimal places specified by of any unique field that ends with … | stats avg(*lay) by
round(3.5)
Y. The default is to round to an the string "lay" (e.g., delay, xdelay, date _ hour
integer. relay, etc).
Returns X with the characters in Y Return the 20 most common
… | top limit=20 url
trimmed from the right side. If Y is values of the "url" field.
rtrim(" ZZZZabcZZ ", " Z")
not specified, spaces and tabs are
Return the least common values
trimmed. … | rare url
of the "url" field.
Returns X as a multi-valued field,
split(address, ";")
split by delimiter Y.
Advanced Reporting
Given pairs of arguments, Boolean validate(isint(port),
expressions X and strings Y, Compute the overall average
"ERROR: Port is not an ... | eventstats
returns the string Y corresponding duration and add 'avgdur' as a
integer", port >= 1 AND new field to each event where the avg(duration) as avgdur
to the first expression X that
evaluates to False and defaults to
port <= 65535, "ERROR: 'duration' field exists
NULL if all are True. Port is out of range")
... | streamstats
sum(bytes) as bytes _ total
Find the cumulative sum of bytes.
Group Results | timechart max(bytes _
total)
Cluster results together, sort by … | cluster t=0.9
their "cluster_count" values, and
sourcetype=nasdaq
showcount=true | sort Find anomalies in the field ‘Close_ earliest=-10y |
then return the 20 largest clusters
(in data size).
limit=20 -cluster _ count Price’ during the last 10 years. anomalydetection Close _
Price
Group results that have the same
"host" and "cookie", occur within Create a chart showing the count
… | transaction host of events with a predicted value ... | timechart count |
30 seconds of each other, and do
cookie maxspan=30s and range added to each event in predict count
not have a pause greater than 5
seconds between each event into
maxpause=5s the time-series.
a transaction. Computes a five event simple “... | timechart count |
Group results with the same IP moving average for field ‘count’
trendline sma5(count) as
address (clientip) and where the … | transaction clientip and write to new field ‘smoothed_
count.’
smoothed _ count”
first result contains "signon", startswith="signon"
and the last result contains endswith="purchase"
"purchase".
Metrics
| mcatalog values(metric _
Order Results List all of the metric names in the
name) WHERE index= _
“_metrics” metric index.
Return the first 20 results. … | head 20 metrics
See examples of the metric data | mpreview index= _
Reverse the order of a result set. … | reverse metrics target _ per _
points stored in the “_metrics”
Sort results by "ip" value (in metric index. timeseries=5
ascending order) and then by "url" … | sort ip, -url Return the average value of a
value (in descending order). | mstats avg(aws.ec2.
metric in the “_metrics” metric
CPUUtilization) WHERE
Return the last 20 results in index. Bucket the results into 30
… | tail 20 second time spans.
index= _ metrics span=30s
reverse order.

Reporting Add Fields

| mstats avg( _ value), … | eval
Set velocity to distance / time.
Return the average and count count( _ value) WHERE velocity=distance/time
using a 30 second span of all
metric _ name=”*.cpu. Extract "from" and "to" fields
metrics ending in cpu.percent
percent” by metric _ name using regular expressions. If a
split by each metric name. … | rex field= _ raw "From:
span=30s raw event contains "From: Susan
(?<from>.*) To: (?<to>.*)"
To: David", then from=Susan and
Return max(delay) for each value … | chart max(delay) over to=David.
of foo split by the value of bar. foo by bar
Save the running total of "count" … | accum count as
Return max(delay) for each value … | chart max(delay) over in a field called "total_count". total _ count
of foo. fo o
For each event where 'count'
Count the events by "host" … | stats count by host exists, compute the difference
… | delta count as
between count and its previous
Create a table showing the count … | stats sparkline count countdiff
value and store the result in
of events and a small line chart by host 'countdiff'.
Create a timechart of the count of … | timechart count by
from "web" sources by "host" host Filter Fields
Calculate the average value of … | timechart span=1m Keep only the "host" and "ip"
"CPU" each minute for each "host". avg(CPU) by host fields, and display them in that … | fields + host, ip
order.
Remove the “host” and “ip” fields
… | fields - host, ip
from the results.
 QUICK REFERENCE GUIDE

Search Examples (continued)

Lookup Tables (Splunk Enterprise only) Multi-Valued Fields
For each event, use the lookup Combine the multiple values of
table usertogroup to locate the the recipients field into a single … | nomv recipients
… | lookup usertogroup value
matching “user” value from the
user output group
event. Output the group field
Separate the values of the
value to the event
"recipients" field into multiple
… | makemv delim=","
recipients | top
Read in the usertogroup lookup field values, displaying the top recipients
… | inputlookup recipients
table that is defined in the
usertogroup
transforms.conf file.
Create new results for each value
… | mvexpand recipients
Write the search results to the of the multivalue field "recipients"
… | outputlookup users.csv
lookup file “users.csv”.
Find the number of recipient … | eval to _ count =
values mvcount(recipients)
Modify Fields Find the first email address in the … | eval recipient _ first
recipient field = mvindex(recipient,0)
Rename the "_ip" field as … | rename _ ip as
"IPAddress". IPAddress … | eval netorg _
Find all recipient values that end recipients = mvfilter
in .net or .org match(recipient,"\.net$")
Regular Expressions (Regexes) OR match(recipient,"\.org$"))
Find the index of the first … | eval orgindex =
Regular Expressions are useful in multiple areas: search commands regex recipient value match “\.org$” mvfind(recipient, "\.org$")
and rex; eval functions match() and replace(); and in field extraction.

Regex Note Example Explanation

Common Date and Time Formatting
\s white space \d\s\d digit space digit
Use these values for eval functions strftime() and strptime(), and for
digit non- timestamping event data.
\S not white space \d\S\d
whitespace digit
%H 24 hour (leading zeros) (00 to 23)
\d\d\d-\d\d-
\d digit
\d\d\d\d
SSN %I 12 hour (leading zeros) (01 to 12)

\D not digit \D\D\D three non-digits %M Minute (00 to 59)

%S Second (00 to 61)
word character
\w (letter, number, \w\w\w three word chars subseconds with width (%3N = millisecs,
%N
or _) Time %6N = microsecs, %9N = nanosecs)
not a word three non-word %p AM or PM
\W character
\W\W\W
chars
%Z Time zone (EST)
any included any char that is a
[...] character
[a-z0-9#]
thru z, 0 thru 9, or # Time zone offset from UTC, in hour and
%z
minute: +hhmm or -hhmm. (-0500 for EST)
no included any char but x, y,
[^...] character
[^xyz]
or z %s Seconds since 1/1/1970 (1308677092)

zero or more words %d Day of month (leading zeros) (01 to 31)

* zero or more \w*
chars %j Day of year (001 to 366)
+ one or more \d+ integer Days %w Weekday (0 to 6)
\d\d\d-?\d\d- SSN with dashes %a Abbreviated weekday (Sun)
? zero or one
?\d\d\d\d being optional
%A Weekday (Sunday)
word or digit
| or \w|\d
character %b Abbreviated month name (Jan)
Months %B Month name (January)
(?P<var> named (?P<ssn>\d\d\d- pull out a SSN and
...) extraction \d\d-\d\d\d\d) assign to 'ssn' field %m Month number (01 to 12)
(?: ... logical or atomic alphabetic %y Year without century (00 to 99)
) grouping
(?:[a-zA-Z]|\d)
character OR a digit Years
%Y Year (2021)
line begins with at
^ start of line ^\d+
least one digit
%Y-%m-%d 2021-12-31
%y-%m-%d 21-12-31
line ends with at
$ end of line \d+$
least one digit %b %d, %Y Jan 24, 2021
Examples
number of %B %d, %Y January 24, 2021
{...} repetitions
\d{3,5} between 3-5 digits
q|%d %b '%y
escape the [ = %Y-%m- q|25 Feb '21 = 2021-02-25|
\ escape \[ %d|
character

For more info visit: docs.splunk.com

270 Brannan St., San Francisco, CA 94107 | info@splunk.com | sales@splunk.com | 866-438-7758 | 415-848-8400 | splunkbase.splunk.com

Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and www.splunk.com
other countries. All other brand names, product names or trademarks belong to their respective owners. © 2021 Splunk Inc. All rights reserved. 21-17506-Splunk-QuickReferenceGuide-121