Data-generating commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Data-generating commands
file
This data-generating command generates events (using standard Splunk processing) from a file in the local filesystem.
Syntax
file path
Arguments
| path | .../.../... | Path to the file that will be processed. |
Examples
SplunkWeb:
file /var/log/messages.1 | top CLI:
./splunk search "file /var/log/message.1 | top"
remote
This command runs a search on a remote machine that you specify on a server list. It then merges the results from the remote servers. The results are sorted by time by default.
Note: Scripts cannot be pushed out to machines at search time. If this command is used to run a Perl or Python script on a remote machine, then that script has to be on that machine for this command to work properly.
Syntax
remote server-list [search string]
Arguments
| server-list= | server1,...,serverX | Comma or space-separated list of Splunk servers (or can use a "*" to represent all known peers). |
| search string | Search string to execute on the remote server(s). |
Examples
SplunkWeb:
remote * [search 404] | sort time- Run a remote search for 404 on all Splunk servers and sort by "time".
CLI:
./splunk search "remote * [search 404] | sort time"
- Same as above but run on all available splunk servers. Note the use of the wildcard.
savedsearch
This data-generating command returns the search results of a saved search. A saved search can be set to run using on-disk cache.
Syntax
savedsearch name of saved search [savedsearch-option]
Arguments
| name of saved search= | saved search name | Name of the saved search to run. |
savedsearch-option
| savedsearch-option= | cache-option | macro-option | ttl-option | replacement-option | Options for savedsearch. | |
| cache-option= | usecache=T | F (F) | Sets whether or not to use on-disk cache for running the savedsearch. | |
| macro-option= | nosubstitution=T | F (F) | If set, turns off any macro replacements. | |
| ttl-option= | maxage=integer(60) | Specifies the number of minutes cached search results should be valid. | |
| replacement-option= | key=value | A key value pair for macro replacement. |
Examples
SplunkWeb:
savedsearch mysecurityquery | filter _count > 0 | sendemail to=email@site.com- Run mysecurityquery saved search, and if there are any results (filter command - filtering for anything more than 0), email them.
CLI:
- Create the saved search named ABC=
$rotsky$ host="petpeeve" | where (user LIKE deep)
Run the saved search:
./splunk search "savedsearch=\"ABC usecache=T rotsky=loose\""
Creates the saved search ABC that searches for the token for macro replacement "rotsky"(whatever is specified when running the savedsearch) on the host "petpeeve" where the user is "deep". The saved search is then ran, and set to use disk cache, to search for "loose" on the host "petpeeve" where the user is "deep".
search
The search command is the core data-generating command in Splunk. It performs a search by retrieving results from the Splunk index. The search command is explained in greater detail in the search syntax section of the User manual.
note: When using SplunkWeb the search command is implicit. Type the search terms as you would in any typical search engine (ex: Google).
Syntax
search search-arguments
note:In SplunkWeb, you don't have to prepend your searches with "search". The search bar applies the search command implicitly.
Arguments
search-arguments
| search-arguments= | terms | search-fields | search-modifiers | search-commands | Arguments of a search can be composed of a string of any number of search commands, search fields (field-value pairs), and search modifiers. |
| terms= | string | Search for literal terms. Refer to the reference page on search in the User manual for details. |
| search-fields= | field-value pairs | Search fields that can be specified with values. |
| search-modifiers= | modifier-value paris | Modifiers that can be specified to alter your search results. |
| search-commands= | See search command reference for each syntax. | Commands that can be passed in your search string as arguments. |
Examples
SplunkWeb:
"Password accepted" | where user="mary"- Searches for the term "Password accepted" and filters to show results where the user is "mary".
CLI:
./splunk search "404 host::monkeyBox | top"
- Show the top results of a search for the term "404" on "monkeyBox."
This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.