https://community.splunk.com/t5/Splunk-Search/What-s-the-difference-between-host-abc-and-host-abc/m-p/286960#M86867 <P>The <CODE>::</CODE> syntax has some older history that is no longer relevant. </P> <P>These days the <CODE>::</CODE> syntax is used to indicate in your base search that the <CODE>field::value</CODE> pair is indexed. If a field is indexed then it means that we can take advantage of this all the way down to the index level of filtering. Where for search time extracted fields we can only take partial advantage of the index. Fields are indexed they are one of the built in fields as mentioned by @lstewart, you can define fields to be indexed as described <A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configureindex-timefieldextraction">here</A>, and finally if you are indexing CSV or JSON as structured data the fields from that data will be indexed as well.</P> <P>In general because of the additional filtering that can be done with the indexes themselves, if you know that across all your data sources that a field is indexed it is very beneficial to performance to use the '::' syntax, if you use it on a field that is not indexed it can filter out events unexpectedly.</P> Tue, 14 Jun 2016 19:32:44 GMT cpride_splunk 2016-06-14T19:32:44Z https://community.splunk.com/t5/Splunk-Search/What-s-the-difference-between-host-abc-and-host-abc/m-p/286957#M86864 <P>Hi,</P> <P>Was reading some doc (<A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Writebettersearches">http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Writebettersearches</A>) and it mentions this new way of searching for indexed fields - Specify indexed fields with <CODE>&lt;field&gt;::&lt;value&gt;</CODE> - Curious on what this does and how it's better than the traditional method.</P> <P>Also, is there a way to determine which fields are indexed fields?</P> Sun, 05 Jun 2016 20:57:00 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-difference-between-host-abc-and-host-abc/m-p/286957#M86864 a212830 2016-06-05T20:57:00Z https://community.splunk.com/t5/Splunk-Search/What-s-the-difference-between-host-abc-and-host-abc/m-p/286958#M86865 <P>There are some very subtle differences but I am not aware of anything that would make one more efficient than the other. The main thing is that the <CODE>::</CODE> syntax is the original syntax that was upgraded to allow for the more obvious <CODE>=</CODE> syntax which became the standard. I am surprised to see the older syntax creep back into the documentation. It is probably a documentation oversight and the thrust of this comment in context has has nothing to do with <CODE>::</CODE> vs. <CODE>=</CODE> but rather specifying values for fields early in the search, particularly for those that are indexed.</P> Sun, 05 Jun 2016 21:46:58 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-difference-between-host-abc-and-host-abc/m-p/286958#M86865 woodcock 2016-06-05T21:46:58Z https://community.splunk.com/t5/Splunk-Search/What-s-the-difference-between-host-abc-and-host-abc/m-p/286959#M86866 <P>Here is a link to the list of indexed fields (see the table).<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Aboutdefaultfields">http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Aboutdefaultfields</A></P> Tue, 14 Jun 2016 01:40:53 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-difference-between-host-abc-and-host-abc/m-p/286959#M86866 lstewart_splunk 2016-06-14T01:40:53Z https://community.splunk.com/t5/Splunk-Search/What-s-the-difference-between-host-abc-and-host-abc/m-p/286960#M86867 <P>The <CODE>::</CODE> syntax has some older history that is no longer relevant. </P> <P>These days the <CODE>::</CODE> syntax is used to indicate in your base search that the <CODE>field::value</CODE> pair is indexed. If a field is indexed then it means that we can take advantage of this all the way down to the index level of filtering. Where for search time extracted fields we can only take partial advantage of the index. Fields are indexed they are one of the built in fields as mentioned by @lstewart, you can define fields to be indexed as described <A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Data/Configureindex-timefieldextraction">here</A>, and finally if you are indexing CSV or JSON as structured data the fields from that data will be indexed as well.</P> <P>In general because of the additional filtering that can be done with the indexes themselves, if you know that across all your data sources that a field is indexed it is very beneficial to performance to use the '::' syntax, if you use it on a field that is not indexed it can filter out events unexpectedly.</P> Tue, 14 Jun 2016 19:32:44 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-difference-between-host-abc-and-host-abc/m-p/286960#M86867 cpride_splunk 2016-06-14T19:32:44Z https://community.splunk.com/t5/Splunk-Search/What-s-the-difference-between-host-abc-and-host-abc/m-p/286961#M86868 <P>That is fantastic! The documentation definitely needs to make this more clear. I will be using this frequently now.</P> Tue, 14 Jun 2016 19:36:41 GMT https://community.splunk.com/t5/Splunk-Search/What-s-the-difference-between-host-abc-and-host-abc/m-p/286961#M86868 woodcock 2016-06-14T19:36:41Z