Command line interface (CLI)
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Command line interface (CLI)
Splunk includes a command line interface (CLI) that runs from a shell on the server host. It's a great way to integrate Splunk into admin scripts. To use Splunk from the command line, add the ./bin subdirectory of your Splunk installation to your shell path.
For example:
export PATH=/opt/splunk/bin:$PATH
Note: CLI searches do not include a default time range.
Examples
Below are typical commands that you could execute from the CLI.
Note: CLI commands must be prefaced by the "splunk", unless you have logged into the Splunk CLI.
For example:
./splunk search "foo"
search "session root daysago::1" add tail /var/applog -sourcetype myApp remove tail /var/log list tail spool /my/random/logs.tgz -sourcetype linux_messages_syslog add batch /var/archive -segmentnum 3 add udp 514 edit udp 514 -sourcetype asterisk_event_syslog add user -role power -username gwb -full-name "George W Bush" -password changeme add forward 10.1.1.123:8089 enable receive add search-server splunk03:8089 list savedsplunk help commands
Built-in help
The CLI supports the same search syntax as the search bar in SplunkWeb, and commands work the same way (except some reporting commands). The best way to learn to use the CLI is to use its built-in help system. Access it by typing:
./splunk help
Basic commands
Below is actual help output from command line interface.
# splunk help
Welcome to Splunk's command line interface. Try typing these commands for more help.
help simple, cheatsheet list common commands, and command line syntax
help commands full list of command line commands
help [command] type a specific command for its own help page
help [object] type a specific object for its own help page
help [topic] type any topic to get help on or related to it
help datastore manage Splunk's local filesystem use
help distributed manage distributed configurations such as: data cloning and routing,
and distributed search
help forwarding manage data forwarding deployments
help input, inputs manage data inputs
help control, controls tools to start, stop, manage Splunk processes
help settings manage settings for your Splunk server
help tools tools to help your Splunk server
help training train Splunk to recognize dates, source types, or fields
help search help with Splunk searches
Universal Parameters:
These parameters are usable by any command. Type "splunk help [auth|uri]" for details on each one.
Syntax:
[command] [object] [-parameters]... [-uri][-auth]
help auth authentication for commands, can be applied to any command
help uri used to send a specified command to a specified server
Try typing "help [object|topic]" to get help on a specific object, or topic you are curious about.
# splunk help simple
This page shows will get you started with some basic commands, examples of usage,
and a list of help commands for reference on Splunk's search.
Splunk command line syntax:
./splunk [command] [object] [-parameter value]...
These are the basic Splunk commands you need to know:
search search a Splunk index
login,logout authenticate a session to a Splunk server
start,stop,restart,status manage Splunk processes
spool load a file or directory into an index
add,edit,remove,list manage data inputs, user accounts, saved searches
set,show manage Splunk settings
enable,disable turn features on and off
help show main help page
install,upgrade install or upgrade a bundle
refresh update a deployment server with client server information
reload reload deployment servers
Examples of typical commands:
./splunk search "session root daysago::1"
./splunk add tail /var/applog -sourcetype myApp
./splunk remove tail /var/log
./splunk list tail
./splunk spool /my/random/logs.tgz -sourcetype linux_messages_syslog
./splunk add batch /var/archive -segmentnum 3
./splunk add udp 514
./splunk edit udp 514 —sourcetype asterisk_event_syslog
./splunk add forward 10.1.1.123:8089
./splunk enable receive
./splunk add search-server splunk03:8089
./splunk help commands
Splunk search cheatsheets:
help search search syntax reference
help search-modifiers complete list of search modifiers and usage examples
help search-fields complete list of search fields indexed by Splunk
help search-commands complete list of search commands
Type "help [object|topic]" to get help on a specific object, or topic.
# splunk help commands
All Splunk commands take the form:
./splunk [command] [object] [-parameter value]...
Some commands don't require an object or parameters.
Some commands have a default parameter that can be specified by its value alone.
Supported commands and objects:
[command] [objects]
add,edit [bundle|blacklist|deploy-client|deploy-class|exec|fifo|forward-server|index
|saved-search|search-server|source|sourcetype|tail|tcp|udp|user|watch]
anonymize source
clean [eventdata|globaldata|userdata|all]
disable [bundle|discoverable|dist-search|deploy-client|deploy-server|listen|local-index]
enable [bundle|discoverable|dist-search|deploy-client|deploy-server|listen|local-index]
display [discoverable|dist-search|deploy-client|deploy-server|listen|local-index]
export,import [globaldata|userdata|eventdata]
find logs
help NONE
install,upgrade bundle
list [bundle|blacklist|deploy-client|deploy-class|exec|fifo|forward-server|index
|saved-search|search-server|source|sourcetype|tail|tcp|udp|user|watch]
login,logout NONE
recover NONE
reload deploy-server
remove [bundle|blacklist|deploy-client|deploy-class|exec|fifo|forward-server|index
|saved-search|search-server|source|sourcetype|tail|tcp|udp|user|watch]
resurrect,unresurrect [archive_directory|index|from_time|end_time]
search NONE
set,show [datastore-dir|deploy-multicast|deploy-poll|default-hostname|default-index|license
|minfreemb|servername|server-type|splunkd-port|web-port]
spool [globaldata|userdata|eventdata]
start,stop,restart [splunkd|splunkweb|monitor]
status [splunkd|splunkweb|monitor]
Type "help [object|topic]" to get help on a specific object, or topic.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.