https://community.splunk.com/t5/Splunk-Search/When-do-breaker-characters-apply/m-p/626850#M217858 <P>This is the defining document:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#search" target="_blank" rel="noopener">search</A>; I would pay special attention under <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#Logical_expression_options" target="_blank" rel="noopener">Logical expression options</A>,&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#Comparison_expression_options" target="_blank" rel="noopener">Comparison expression options</A>,&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#Quotes_and_escaping_characters" target="_blank" rel="noopener">Quotes and escaping characters</A>, and <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#The_implied_search_command" target="_blank" rel="noopener">The implied search command</A>.&nbsp; In addition to white space and double quotation mark (") which are obvious, any unquoted occurrence of parentheses ("(" and ")", unquoted), equal (=), less-than (&lt;), and greater-than (&gt;) will be interpreted by SPL as part (or whole) of an operator; any unquoted occurrence of pipe (|) is interpreted as command separator; select unquoted backslash sequences are interpreted by SPL, e.g., \", \|, and \\; unquoted asterisk (*) is interpreted as wildcard. &nbsp; Also look at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Search/Typesofcommands#collapseDesktop7" target="_blank" rel="noopener">Subsearches</A>. &nbsp;Any unquoted occurrence of left square bracket ([) is interpreted as the beginning of a subsearch; unquoted right square bracket (]) is considered the ending of a subsearch.</P><P data-unlink="true">Other than these, any character in a string is considered a literal string. &nbsp;This is why <FONT face="andale mono,times">index=</FONT><FONT face="andale mono,times">WinEventLog:System</FONT>, or even <FONT face="andale mono,times">index =&nbsp;WinEventLog:System</FONT> is equivalent to <FONT face="andale mono,times">index="WinEventLog:System"</FONT>. &nbsp;Yes, you can even name your source WinEventLog!System, WinEventLog/System, WinEventLog\System,&nbsp;WinEventLog\/System,&nbsp;even WinEventLog@System or WinEventLog&amp;System and not quote it.</P><P data-unlink="true">Even in the search document itself, some examples include unquoted strings that could be unsafe in some other contexts. &nbsp;For example,</P><BLOCKQUOTE>The AND operator is always implied between terms and expressions. For example, web error is the same as web AND error. Specifying clientip=192.0.2.255 earliest=-1h@h is the same as clientip=192.0.2.255 AND earliest=-1h@h. So unless you want to include it for clarity reasons, you do not need to specify the AND operator. -&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#Required_arguments" target="_blank" rel="noopener">Required arguments</A></BLOCKQUOTE> Wed, 11 Jan 2023 20:11:04 GMT yuanliu 2023-01-11T20:11:04Z https://community.splunk.com/t5/Splunk-Search/When-do-breaker-characters-apply/m-p/626614#M217797 <P>I have read the documentation about breaker characters, but within our organization there is disagreement about when they actually come into play in the main search.</P><P>The docs don't say anything about it either way, but some say we must use quotes around sourcetype, for example:</P><LI-CODE lang="javascript">index=iis sourcetype="http_err_logs" status=500 ...etc</LI-CODE><P><BR />It goes without saying that they're needed within literal search phrases; the text of a specific error message, for example. But do they really also apply to comparisons for standard fields like index or sourcetype?<BR /><BR />As another example, we have sourcetypes with names like "WinEventLog:Application" and "WinEventLog:System" and some are saying that colon becomes a breaker which leads to a search of the entire raw event data. We also have index names with underscores, and so on.</P><P>As a result, at this point we're playing it safe and quoting anything that has breaker characters, but is there any documentation that describes where they're actually applied or not?</P> Tue, 10 Jan 2023 15:53:05 GMT https://community.splunk.com/t5/Splunk-Search/When-do-breaker-characters-apply/m-p/626614#M217797 mv10 2023-01-10T15:53:05Z https://community.splunk.com/t5/Splunk-Search/When-do-breaker-characters-apply/m-p/626632#M217800 <P>I use index=_internal all the time with no indication that Splunk is searching anything else.</P><P>One way to see who is right would be to compare the litsearch for each query as shown in Job Inspector.</P><P>This document may help:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Search/Eventsegmentationandsearching" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Search/Eventsegmentationandsearching</A></P><P>&nbsp;</P> Tue, 10 Jan 2023 16:42:45 GMT https://community.splunk.com/t5/Splunk-Search/When-do-breaker-characters-apply/m-p/626632#M217800 richgalloway 2023-01-10T16:42:45Z https://community.splunk.com/t5/Splunk-Search/When-do-breaker-characters-apply/m-p/626645#M217805 <P>Good idea about the job inspector, I'll have to play with it a bit.</P><P>Those are the docs I was referring to in my question. It defines major and minor breakers but never clearly explains exactly when one or the other applies. It has the "app=" example and shows the minor tokens in the table but the text doesn't mention them at all.</P><P>I wouldn't expect _internal to match against anything else unless you also had other indices with names using the word "internal" with other breakers ("accounting_internal" for example). Personally I strongly doubt "index" would ever use breakers (makes no sense), but the rest of the fields, I'm not so sure.</P><P>My sourcetype examples (such as WinEventLog:System) do seem to work as expected even without quotes, the thinking is that it's just an efficiency thing. That's one I could test, but where does it end? Extracted fields? Only free-form search text?</P> Tue, 10 Jan 2023 17:52:23 GMT https://community.splunk.com/t5/Splunk-Search/When-do-breaker-characters-apply/m-p/626645#M217805 mv10 2023-01-10T17:52:23Z https://community.splunk.com/t5/Splunk-Search/When-do-breaker-characters-apply/m-p/626850#M217858 <P>This is the defining document:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#search" target="_blank" rel="noopener">search</A>; I would pay special attention under <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#Logical_expression_options" target="_blank" rel="noopener">Logical expression options</A>,&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#Comparison_expression_options" target="_blank" rel="noopener">Comparison expression options</A>,&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#Quotes_and_escaping_characters" target="_blank" rel="noopener">Quotes and escaping characters</A>, and <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#The_implied_search_command" target="_blank" rel="noopener">The implied search command</A>.&nbsp; In addition to white space and double quotation mark (") which are obvious, any unquoted occurrence of parentheses ("(" and ")", unquoted), equal (=), less-than (&lt;), and greater-than (&gt;) will be interpreted by SPL as part (or whole) of an operator; any unquoted occurrence of pipe (|) is interpreted as command separator; select unquoted backslash sequences are interpreted by SPL, e.g., \", \|, and \\; unquoted asterisk (*) is interpreted as wildcard. &nbsp; Also look at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Search/Typesofcommands#collapseDesktop7" target="_blank" rel="noopener">Subsearches</A>. &nbsp;Any unquoted occurrence of left square bracket ([) is interpreted as the beginning of a subsearch; unquoted right square bracket (]) is considered the ending of a subsearch.</P><P data-unlink="true">Other than these, any character in a string is considered a literal string. &nbsp;This is why <FONT face="andale mono,times">index=</FONT><FONT face="andale mono,times">WinEventLog:System</FONT>, or even <FONT face="andale mono,times">index =&nbsp;WinEventLog:System</FONT> is equivalent to <FONT face="andale mono,times">index="WinEventLog:System"</FONT>. &nbsp;Yes, you can even name your source WinEventLog!System, WinEventLog/System, WinEventLog\System,&nbsp;WinEventLog\/System,&nbsp;even WinEventLog@System or WinEventLog&amp;System and not quote it.</P><P data-unlink="true">Even in the search document itself, some examples include unquoted strings that could be unsafe in some other contexts. &nbsp;For example,</P><BLOCKQUOTE>The AND operator is always implied between terms and expressions. For example, web error is the same as web AND error. Specifying clientip=192.0.2.255 earliest=-1h@h is the same as clientip=192.0.2.255 AND earliest=-1h@h. So unless you want to include it for clarity reasons, you do not need to specify the AND operator. -&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Search#Required_arguments" target="_blank" rel="noopener">Required arguments</A></BLOCKQUOTE> Wed, 11 Jan 2023 20:11:04 GMT https://community.splunk.com/t5/Splunk-Search/When-do-breaker-characters-apply/m-p/626850#M217858 yuanliu 2023-01-11T20:11:04Z