Data-generating commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Data-generating commands
Use data-generating commands to generate data to use with other Splunk commands. Generate search results by searching the Splunk index, executing a script that creates data, or by gathering them directly from a file.
Note about using file and savedsearch in Splunk Web
You must use a | (pipe) when you begin searches with any data-generating command other than search.
Examples:
| savedsearch foo ...| file /path/path/log.file Note about using file and savedsearch in the CLI
You must use a | (pipe) when you begin searches with any data-generating command other than search. You must use outputcsv to see your results.
Examples:
./splunk search " | savedsearch foo ... | outputcsv"
./splunk search " | file /path/path/log.file ... | outputcsv"
file
Use file to read a file or directory into Splunk to see what its contents would look like if it were indexed. If you specify a file to read into Splunk, Splunk will return events from the file as if it were indexed in a Splunk index. If you specify a directory, Splunk will display a list of files in the directory and their identified source types.
Note: You must use a | (pipe) when you begin searches with file.
Note: You can't use file to process archived (compressed) files or directories.
Note: If you have a search command ahead of a file command in your search, Splunk will automatically discard the search's results and output data generated from file.
Syntax
file path
Arguments
| path | .../.../... | Path to the file or directory to process. |
Examples
This example displays the file message.1 as if it were indexed in Splunk.
Splunk Web:
| file /var/log/messages.1 CLI:
./splunk search "| file /var/log/message.1"
savedsearch
Return the search results of a saved search. You can set a saved search to run using on-disk cache.
Note: You must use a | (pipe) when you begin searches with savedsearch.
Syntax
savedsearch savedsearch [savedsearch-option]
Arguments
| savedsearch | string | Name of the saved search to run. |
savedsearch-option
| savedsearch-option | cache-option | macro-option | ttl-option | replacement-option | Options for savedsearch. | |
| cache-option | usecache=T | F (F) | Sets whether or not to use on-disk cache for running the savedsearch. | |
| macro-option | nosubstitution=T | F (F) | If set, turns off any macro replacements. | |
| ttl-option | maxage=integer(60) | Specifies the number of minutes cached search results should be valid. | |
| replacement-option | key=value | A key value pair for macro replacement. |
Examples
Splunk Web:
This example runs the mysecurityquery saved search and keeps those results with a count field greater than zero.
| savedsearch mysecurityquery | search count > 0CLI:
This example shows how you can use savedsearch with a macro (Macro search).
- Create the saved search named ABC=
$rotsky$ host="petpeeve"
Run the saved search:
./splunk search "| savedsearch ABC usecache=T rotsky=loose | outputcsv"
This search creates a saved search called "ABC" that searches for host="petpeeve" whenever the macro replacement "rotsky" is specified in the savedsearch. The saved search then is run with disk cache turned on, searching for "loose" on the host is "petpeeve".
search
The search command is the core data-generating command in Splunk. It performs a search by retrieving results from the Splunk index. What you can do with search is explained in the search syntax section of the User manual.
Note: When you use Splunk Web, you don't have to type in the word search before your search terms. Type the search terms as you would in any typical search engine (ex: Google).
Syntax
search search string
Arguments
search string
| search string | terms | commands | modifiers | (search string) | search string [OR] search string | comparison expression | Components of a search string. | |
| terms | Search terms. Syntax for literal, quoted, and simple search term expressions. | ||
| modifiers | Search modifiers. Used to narrow searches based on various value and time constraint specification. | ||
| fields | Search fields. Fields are either indexed when your data is put into the Splunk index, or they are extracted at search time. | ||
| comparison expression | Comparison expressions that are used to compare values of fields, and constrain searches based on comparisons to other fields or numbers. |
terms
| terms | keywords | wildcards | literals | quotes | logical expression | Supported types of search terms. |
| keywords | string | Any string of characters to search for. Narrow searches based on simple character matching. |
| wildcards | *[string | modifiers] | [string | modifiers]* | [string | modifiers]*[string | modifiers] | Place wildcards at the beginning, middle, or ends of character strings or modifiers to broaden search constraints. |
| literals | +string | Precede strings with "+" to search for any string literally. Equivalent to searching for "string". |
| quotes | "string" | Matches the exact character string between the quotations. |
| logical expression | terms [AND] terms | terms OR terms | terms NOT terms | ( logical expression (logical expression ) ) | Logical expressions consist of: AND (implicit between terms by white-space), OR, NOT, or parentheses (to nest expressions). Logical expressions are evaluated with the following precedence. 1. ( ) , 2. OR , 3. AND,NOT. |
commands
- See the complete search command reference for syntax and description of each command.
modifiers
| modifiers | search modifiers | time modifiers | Types of modifiers to constrain your search with. |
| search modifiers | Constrain your search based on event types, host, or other core fields. See the search modifier reference in our online user manual for details. | |
| search modifiers | Constrain your search based on time constraints of various types. See the search modifier reference in our online user manual for details. |
comparison expression
| comparison expression | (literal value | field) comp operator (literal value | field) | Valid comparison expression syntax. | |
| literal value | number | Specified number value to compare. | |
| field | field name | Field to take values from to compare. | |
| comp operator | = | != | < | <= | > | >= | Valid comparison operators used to evaluate logical expressions of fields. |
Examples
Splunk Web:
This example searches for the term "Password accepted" and filters to show results where the user is "mary".
"Password accepted" mary*.CLI:
This example shows the top results of a search for the term "404" on "monkeyBox."
./splunk search "404 host="monkeyBox" | top uri"
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.