Search log data using Splunk Processing Language
Grepr provides limited support for Splunk Processing Language (SPL).
For a full reference on SPL syntax, see the SPL Search Reference .
Supported SPL expressions
Grepr supports the search command only, which allows you to run basic search queries. Piped queries—where multiple search stages are chained using the pipe (|) operator—are also supported with some limitations.
Piping Commands
You can chain multiple search commands using the pipe (|) operator. Each stage filters the results from the previous stage:
search <expression1> | search <expression2> | ...The first search command is optional, but subsequent search commands are required to filter results further.
Perform basic text search
A basic text search performs a full-text search across the message field of log entries:
search "text to search"Search fields
The search command can also filter logs based on field values:
search field=valueAttributes and tags can be queried using the following formats:
attributes.attr=valuetags.tagKey=value
See Grepr processing model for more details on attributes and tags.
Field searches (e.g., field=value) apply to both attributes and tags and are equivalent to attributes.field=value OR tags.field=value
If the value contains special characters or spaces, wrap it in double quotes:
search attributes.attr="double-quoted value"
search tags.tagKey="double-quoted value"Wildcard searches
Use the asterisk (*) as a wildcard to match zero or more characters in field values:
search field=value*Boolean operators
You can use AND, OR, and NOT to combine or modify search expressions:
search expression1 AND expression2
search expression1 OR expression2
search NOT expressionUnsupported commands and expressions
The following SPL features are not supported:
- Arithmetic operations:
+,-,*,/,% - Advanced SPL commands:
stats,table,eval,where,sort,top,rex,fields,lookup,join,dedup, and others - Subqueries