Search commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Search commands
Use search commands to generate search results from an index or process search results that get generated. Combine search commands in a search to produce specific sets of search results. Or produce complex reports based on search results (using the "|" to "pipe"/separate commands).
Select search commands from the list below to learn how to use them.
See the search syntax page for a description of the search command pipeline in modified BNF (Backus - Naur Form).
| Data-generating | file, remote, run, savedsearch, search | |
| Saving | run, sendemail, outputcsv, outputraw, outputtext, outputxml | |
| Filtering & Re-ordering | page, regex, run, set, sort, uniq, where | |
| Transforming & Reporting | associate, chart, contingency, correlate, diff, format, rare, run, select, stats, timechart, top, xmlunescape | |
| Evaluating | abstract, addtotals, anomalousvalue, bucket, convert, eval, fields, fillnull, kmeans, outlier, rename, replace, run | |
| Extracting | extract(kv), multikv, run, xmlkv | |
| Administering | run, admin |
Use data-generating commands to get data out of a Splunk index.
Saving commands allow you to save data in various formats. Use saving commands to format data for a particular type of output.
Filtering & Re-ordering commands don't change data within results. These commands allow you to filter a result set, and re-order how results appear.
Transforming & Reporting commands allow you to summarize large result sets.
Evaluating commands evaluate each result, and change the fields or values of fields within each result.
Extracting commands add fields to results based on raw event data.
Administering commands allow you to perform administrative functions.
Conventions used in the search reference
Syntax conventions
command argument ... [argument] ...
- Commands are in bold.
- Any bolded (and not italicized) character in the command syntax is a required term for the expression.
- Required arguments are italicized (and can be bold).
- Optional arguments are in [brackets].
- " ... " means that many arguments can be inserted.
- Arguments are defined in a table.
| argument= | syntax and value(default value) | Description, and usage. |
- Default values are shown in parentheses ( ).
- Arguments that have a table of options associated with them are italicized and in bold (argument).
- " | " is used as a logical OR.
- T | F = True OR False.
Other conventions
- Command examples that are applicable to SplunkWeb are shown in a mock-up of a search bar.
foo | top - Command examples that are applicable to the Splunk command line (CLI) are shown in indented fixed-width font.
./splunk search "foo | top"
The run command
The run command makes calls to external perl or python programs that can modify or generate search results. It takes search results as inputs, and outputs the results of the script(s) called.
To disable the running of a script, delete the script out of the splunk_home/etc/searchscripts directory.
Syntax
run (perl OR python) script-name [script-argument] ... [script-argumentN] [maxinputs-arg]
Arguments
| script-name= | script name | The name of the script to execute (minus the path and file extension). |
| script-argument= | script arguments | An argument passed to the script. |
| maxinputs-arg= | maxinputs=integer(100) | Specify a number of results to pass to the script. If no maxinputs is specified, run will pass up to 10,000 events to scripts. |
Examples
404 | run python myscript myarg1 myarg2 | sendemail to= email@site.com- Searches for events containing 404, and runs the python script= myscript. Then it sends the results in an email to email@site.com.
The admin command
This data-generating command returns the values of a specified ".conf file.
Syntax
admin configuration file
Arguments
| configuration file=bundle name | Name of a bundle that corresponds to a Splunk .config file (e.g. eventtypes, inputs, props). |
Examples
SplunkWeb:
admin eventtypes- Returns the values of the eventtypes.conf file.
CLI:
./splunk search "admin auth"
- Returns authentication settings in auth.conf.
./splunk search "admin props"
- Returns processing properties - time zones, breaking characters, etc contained in props.conf.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.