Skip to main content

Splunk federated search syntax

This topic provides a reference for the Search Processing Language (SPL) operators and syntax supported by Imply Lumi in Splunk® federated search.

To set up the federated search integration and run queries, see Set up federated search.

Supported syntax

Use the following operators and syntax in federated search queries to filter events, compare values, and combine conditions. If your search term includes a space, enclose it in double quotes (").

For supported commands and functions, and more detailed examples, see Federated search reference.

Operator/SyntaxUseExample
=Equal tostatus=200
!=Not equal tostatus!=200
>Greater thancount>400
>=Greater than or equal tototal_events>=5000
<Less thanhost_event_count<100
<=Less than or equal topercent<=50
""Search for an exact phrase#processor="ec 20250806.1487.0"
*Wildcard matchinguri=*policy*. See Wildcard matching for more information.
ANDMatch both conditionsmethod=GET AND status=404
ORMatch either or both conditionsstatus=500 OR level=error
NOTExclude results that match a conditionuri NOT /orders
INMatch any value from a listmethod IN (GET,POST)
XORReturn true when exactly one of the inputs is truemethod=PUT XOR status=400
CASEMake case-sensitiveCASE(Intel)

Wildcard matching

Use * (asterisk) as a wildcard to match any characters within quoted search phrases. For example:

  • uri_path=/admin* matches admin pages and child pages.
  • user=CASE(*admin*) find users with admin in lowercase.
  • useragent=*bot* finds web crawlers and bots.
  • clientip=192.168.* locates internal network traffic.
  • useragent=*"Intel Mac"* finds the phrase Intel Mac.
  • method="POST" AND uri=*/login* finds login attempts.

Note that you can't search for the asterisk character directly because the character is reserved as a wildcard. See Searching for the asterisk character for more information.

Learn more

See the following topics for more information: