Search commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Search commands
Use search commands to generate search results from an index or process search results that get generated. Combine search commands in a search to produce specific sets of search results. Or produce detailed reports based on search results (using the "|" ("pipe") to separate commands).
Select search commands from the list below to learn how to use them.
See the search pipeline syntax page for a description of the search command pipeline in modified BNF (Backus - Naur Form).
| Data-generating | file, savedsearch, search | |
| Filtering & Re-ordering | dedup, head, localize, regex, reverse, set, sort, tail, where | |
| Transforming & Reporting | associate, chart, cluster, contingency, correlate, diff, format, highlight, rare, stats, strcat, timechart, top, transaction, typelearner, xmlunescape | |
| Evaluating | abstract, addtotals, anomalousvalue, bucket, convert, eval, fields, fillnull, kmeans, outlier, rename, replace | |
| Extracting | extract(kv), iplocation, multikv, rex, typer, xmlkv | |
| Administrative | admin, audit, run |
Use data-generating commands to get data out of a Splunk index.
Filtering & Re-ordering commands don't change data within results. These commands allow you to filter a result set, and re-order how results appear.
Transforming & Reporting commands allow you to summarize large result sets.
Evaluating commands evaluate each result, and change the fields or values of fields within each result.
Extracting commands add fields to results based on raw event data.
Administrative commands allow you to perform administrative functions.
Commands that support multi-value fields
Some commands can process multi-value fields. Multi-value fields allow Splunk to recognize multiple values in a single field value string. Splunk parses multiple values from a field using regular expression delimiters you define in fields.conf (Learn how to configure multi-value fields).
The following commands support multi-value fields:
Conventions used in the search reference
Syntax conventions
command argument ... [argument] ...
- Commands are in bold.
- Any bolded (and not italicized) character in the command syntax is a required term for the expression.
- Required arguments are italicized (and can be bold).
- Optional arguments are in [brackets].
- " ... " means that many arguments can be inserted.
- Arguments are defined in a table.
| argument= | syntax and value(default value) | Description, and usage. |
- Default values are shown in parentheses ( ).
- Arguments that have a table of options associated with them are italicized and in bold (argument).
- " | " is used as a logical OR.
- T | F = True OR False.
Other conventions
Command examples that are applicable to Splunk Web are shown in a mock-up of a search bar.
foo | top fooFieldCommand examples that are applicable to the Splunk command line (CLI) are shown in indented fixed-width font.
./splunk search "foo | top fooField"
Command index
audit
This documentation applies to the following versions of Splunk: 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.