Splunk federated search syntax
This topic provides a reference for the Search Processing Language (SPL) operators and syntax supported by Imply Lumi in Splunk® federated search.
To set up the federated search integration and run queries, see Set up federated search.
Supported syntax
Use the following operators and syntax in federated search queries to filter events, compare values, and combine conditions.
If your search term includes a space, enclose it in double quotes (").
For supported commands and functions, and more detailed examples, see Federated search reference.
| Operator/Syntax | Use | Example |
|---|---|---|
= | Equal to | status=200 |
!= | Not equal to | status!=200 |
> | Greater than | count>400 |
>= | Greater than or equal to | total_events>=5000 |
< | Less than | host_event_count<100 |
<= | Less than or equal to | percent<=50 |
"" | Search for an exact phrase | #processor="ec 20250806.1487.0" |
* | Wildcard matching | uri=*policy* |
AND | Match both conditions | method=GET AND status=404 |
OR | Match either or both conditions | status=500 OR level=error |
NOT | Exclude results that match a condition | uri NOT /orders |
XOR | Return true when exactly one of the inputs is true | method=PUT XOR status=400 |
CASE | Make case-sensitive | CASE(Intel) |
Learn more
See the following topics for more information:
- Federated search reference to walk through performing federated queries on Lumi events.
- Monitor federated search performance for information on examining aspects of a search.
- Search events with Lumi for information on searching events in Lumi.