Hi, any one knows the benefits of search command?
search src="10.9.165.*" and src_ip="10.9.165.*" , any difference?
Hi @cyberfan
The search command is implied at the beginning of any search. You do not need to specify the search
command at the beginning of your search criteria.
When the search command is not the first command in the pipeline, the search command is used to filter the results of the previous command.
The search command can also be used in a subsearch.
The search command is an event-generating command when it is the first command in the search, before the first pipe.
When the search command is used further down the pipeline, it is a distributable streaming command.
Specifying a secondary search:
This example uses the search command twice. The search command is implied at the beginning of every search with the criteria eventtype=web-traffic. The search command is used again later in the search pipeline to filter out the results.
This search defines a web session using the transaction command and searches for the user sessions that contain more than three events.
eventtype=web-traffic | transaction clientip startswith="login" endswith="logout" | search eventcount>3
https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/search
(PS - i have given around 500+ karma points so far, received badge for that, if an answer helped you, a karma point would be nice!. we all should start "Learn, Give Back, Have Fun")
Hi @cyberfan,
the search is absolutely equivalent by the Splunk point of view.
It depends on the content of the src and src_ip fields: in other words, in your logs where are source IPs to use in the search, the answer to this question (that only you can answer) is the answer to your question!
probably it could be more efficient to use
src="10.9.165.1/24" or src_ip="10.9.165.1/24"
Ciao.
Giuseppe