Command Line Interface
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Command Line Interface
Splunk 2.1 includes a command line interface that runs from a shell on the server host, rather than through the Web interface. It's a great way to integrate Splunk into admin scripts. To use Splunk from the command line, add the ./bin subdirectory of your Splunk Server installation to your shell path, for example:
# export PATH=/opt/splunk/bin:$PATH
Examples
Below are typical commands supported by the command line interface.
search "session root daysago::1"
add tail /var/applog -sourcetype myApp
remove tail /var/log
list tail
spool /my/random/logs.tgz -sourcetype linux_messages_syslog
add batch /var/archive -segmentnum 3
add udp 514
edit udp 514 -sourcetype asterisk_event_syslog
add user -role power -username gwb -full-name "George W Bush" -password changeme
add forward 10.1.1.123:8089
enable receive
add search-server splunk03:8089
list savedsplunk
help commands
Built-in help
The command line interface supports the same search syntax as the Splunk box, and has commands that perform most of the other operations available through the Web interface. The best way to learn to use the CLI is to use its built-in help system:
# splunk help
Basic commands
Below is actual help output from command line interface.
# splunk help
This is Splunk's command line interface. Try typing these commmands for more help.
help simple list the most commonly-user commands
help commands list all commands
help [command] show help on a specific command
help search search indexes
help input add, edit or delete data inputs
help settings show or set basic server settings
help users add, edit or delete user accounts
help splunks manage Saved Splunks & Live Splunks
help s2s manage Splunk-2-Splunk configuration
help datastore manage the server's local filesystem use
help training improve Splunk's handling of dates, source types or report fields
help summary get statistics on indexed data
help auth authentication to a Splunk Professional server
help control start and stop Splunk Server processes
help tools find log files, anonymize data samples
help migrate copy datastore items from a previous version of Splunk
help [topic] show help on any topic
help help show a list of help topics
# splunk help simple
These are the basic Splunk commands you need to know:
search search a Splunk index
login,logout authenticate a session to a Splunk Professional server
start,stop,restart,status manage Splunk Server processes
spool load a file or directory into an index
add,edit,remove,list manage data inputs, user accounts, Saved & Live Splunks
set,show manage Splunk Server settings
enable,disable turn features on and off
help show usage instructions for Splunk
# splunk help commands
All Splunk commands take the form:
splunk [action] [object] [-parameter value] ...
Actions and objects are in matched sets, shown below.
Some commands don't require an object or parameters.
Some have a default parameter that can be specified by its value alone.
Supported sets of actions and objects:
search
login,logout
spool
start,stop,restart,status [splunkd|splunkweb|monitor]
set,show [servername|splunkd-port|web-port|web-sslport|datastore-dir|minfreemb|default-index]
add,edit,remove,list [user|tail|watch|fifo|tcp|udp|odbc|savedsplunk|livesplunk|index|foward-server|search-server]
migrate [users|props|settings|inputs|splunks|index_definition]
import,export,clean [eventdata|userdata|globaldata|all]
summary [events|hosts|sources|sourcetypes]
enable,disable,display [broadcast|listen]
train|test [dates|fields|sourcetype]
validate [index]
anonymize [file]
find [logs]
help [topic]
Type "help [action]" or "help [object]" to see the parameters specific to each type of object.
Some combinations of action and object within each set may not be supported.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.