Unsupported search commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Unsupported search commands
The commands on this page are currently unsupported. Unsupported commands are are either experimental, or unfinished. They are not guaranteed to work. When a supported alternative to an unsupported command is available, it is provided in the command's listing.
If a command is marked as Internal, do not use it unless explicitly instructed to do so by Splunk staff.
createrss
createrss: Internal. Create RSS feeds for your saved searches. Use createrss to map an RSS feed to a saved search that's on your local Splunk instance. The RSS feed is updated whenever the saved search that's linked to it triggers an alert.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
createrss path name link descr count [graceful]
Arguments
| path | path=string | Specify the path of the RSS feed. Access your Splunk paths via http://yourSplunkURL/rss/path. |
| name | name=string | Specify a name for the RSS feed. |
| link | link=string | Specify a link to point the RSS feed to. |
| descr | descr=string | Set a description for the RSS feed's description field. |
| count | count=integer | Set the maximum number of items to display in the feed before dropping items. |
| graceful | graceful=(0 | 1) | Set graceful to 0 to have createrss raise an exception when an error occurs. Set graceful to 1 to not raise an exception and just log the error. |
dispatch
dispatch: Internal. Use dispatch to execute long-running searches and streaming reports in the CLI.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
dispatch [ttl] [maxresults] [maxtime] [id] server-list search-pipeline
Arguments
| ttl | ttl=integer(seconds) | Specify the number of seconds the results of the current dispatched search pipeline will live on disk. |
| maxresults | maxresults=integer | Set the maximum number of results to return from the search pipeline. |
| maxtime | maxtime=integer(seconds) | Specify the maximum amount of time to spend on the search before stopping it. |
| id | id=string | Specify the directory to place results in (relative to $SPLUNK_HOME/var/run/splunk/dispatch).
|
| server-list | string (list of servers) | Specify the severs to run the search on (server names). |
| search-pipeline | [string] (the search to dispatch) | Specify the search to dispatch. |
Examples
CLI:
Search all events and return the top sources. Place the results in the directory $SPLUNK_HOME/var/run/splunk/dispatch/foo.
dispatch id=foo [search '* | top source']
Search all events on server1 and server2 and return the top hosts.
dispatch server1 server2 [search '* | top host']
folderize
folderize: Internal. Use folderize to group search results into hierarchical buckets by replacing a field value (attr) with a field value broken up by a separator (//sep) you specify. For example, use folderize to group sources from the Splunk homepage to list the directories and categories of the sources.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
folderize attr [folderize-option]...
Arguments
| attr | attr=string | Specify the field to folderize (group). |
folderize-option
| folderize-option= | sep | size | minfolders | maxfolders | Options for folderize. |
| sep | sep=string(default= :: | Specify a string of characters to use to tokenize the field values (attr). |
| size | size=string(default= totalCount) | Specify the field to use as the size. |
| minfolders | minfolders=integer(default=2) | Set the minimum number of folders (groups) to create. |
| maxfolders | maxfolders=integer(default=20) | Set the maximum number of folders (groups) to create. |
Examples
Splunk Web:
Search syslog events, and display a sorted list (descending) of number of events by source.
eventtype="syslog" | folderize attr=source maxfolders=20 sep="/"| sort totalCount dgentimes
gentimes: Internal. Generate time range results to use in the map command.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
gentimes start=timestamp [end=timestamp] [increment=increment]
Arguments
| timestamp= | string | A timestamp for an event. |
| increment= | integer (s | m | h | d) | Specifies the increment spacing for the time range. s=seconds, m=minutes, h=hours, d=days. |
Examples
Splunk Web:
This example searches for "foo" and generates results within the specified time range.
foo | gentimes start=10/25/07 end=10/26/07idxprobe
idxprobe: Internal. Use idxprobe to access and process internal information using Splunk's search language. This is useful if you are having Splunk database issues and need help from Splunk support to fix them. Set the mode of idxprobe to handle either tsidx or bucket information. Optionally specify what buckets to look for information in.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
idxprobe [reload] mode [bucket]
Arguments
| reload | reload | Use the "reload" argument to reload the current search. If you don't use reload, then bucket information is cached. |
| mode | (bucket | tsidx) | Specify whether to look at tsidx or bucket information (mode). |
| bucket | string | Optionally specify a list of buckets to generate information for (you can use wildcards). If you specify no buckets, then idxprobe generats information for all buckets.
|
Examples
load
load: Internal. Load a csv file into Splunk. By default, the data in the loaded csv file replaces the search results of the current search. Use the preserve option to keep the results of the current search along with the data you load in using load.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Note: You can only use load to load csv formatted files.
Syntax
load filename [preserve]
Arguments
| filename | string | Specify a csv format file to load into Splunk. |
| preserve | (T | F) (default= F) | Set preserve to true (T) to keep the results of the current search with the data loaded in using load.
|
Examples
Splunk Web:
This example combines the search for "mynewsearch" over the past minute with data loaded from the file "foo" and saves the combination of data in the file "foo2".
mynewsearch minutesago=1 | load foo preserve=true | save foo2 map
map: Internal. Use map to take your search results and map field values to a specified $variable$ in a subsearch or saved search.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
map (search | savedsearch)
Arguments
| search | search="search string" | Specified search string to run map on. |
| savedsearch | name of saved search | Name of the saved search to run map on. |
Examples
Splunk Web:
This example maps field values to the mytimebased_savedsearch.
eutimes | map mytimebased_savedsearch | search mytimebased_savedsearch=foo starttimeeu::$start$ endtimeeu::$end$outputatom
outputatom: Internal. Use outputatom to convert search results to an Atom feed.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
outputatom
Arguments
None.
Examples
CLI:
This example searches for the word secrets from the source tcpdump, and outputs the data into an Atom feed.
./splunk search 'secrets source="tcpdump" | outputatom'
outputcsv
outputcsv: Internal. This data-processing command is used to output search results in CSV format. This command is useful for formatting result output while using the CLI. If no target filename is specified as an argument, outputcsv rewrites the contents of each search result into a CSV-formatted row in the field "_xml". If a filename is specified, outputcsv writes the CSV-formatted results into the specified file (and appends .csv to the filename if there is no existing extension). If the output spans multiple files, outputcsv can collapse the output to a single file. outputcsv should be the last command specified in a search.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
outputcsv [usexml_option] [filename] [singlefile_option]
Arguments
| usexml_option= | usexml=(T | F) | Specify whether or not to encode the csv output into xml. This option works only when no filename is specified. |
| filename= | string | Name of file to output CSV-formatted results to. Will automatically add a ".csv" extension if there is no extension. The file is stored at $SPLUNK_HOME/var/run/splunk/filename. |
| singlefile_option= | singlefile=(T | F) | If set true, will take an output that spans multiple files and will collapse the files to a single output file. |
Examples
CLI:
This example searches for the word secrets from the source tcpdump, and outputs the data in csv format to the file myfile.csv.
./splunk search 'secrets source="tcpdump" | outputcsv myfile.csv'
outputraw
outputraw: Internal. This data-processing command causes search results to be output in a simple, raw text format. outputraw should be the last command specified in a search.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
outputraw
Arguments
None.
Examples
CLI:
This example searches for the word secrets from the source tcpdump, and outputs the data in raw text format.
./splunk search "secrets source="tcpdump" | outputraw"
outputtext
outputtext: Internal. This data-processing command causes the contents of the _raw field of a result to be written into the " _xml" field. Optionally, you can set outputtext to parse XML escaping characters. outputtext should be the last command specified in a search.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
outputtext [usexml]
Arguments
| usexml= | usexml=(T | F)(T) | If set, the data in the _raw field parse with XML escaping. |
Examples
CLI:
This example searches for "404" on webserver, and sorts the results first by fields ip and url then filters the top 5 results. It will then output the top 5 results in a raw text format.
./splunk search "404 source="webserver" | sort +ip, url | top limit=5 host | outputtext
outputxml
outputxml: Internal. This data-processing command causes search results to be written to a proprietary and internal XML format. outputxml should be the last command specified in a search.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
outputxml [string]
Arguments
| string= | string | Name of xml file to create, to output results to. |
Examples
CLI:
This example searches for "404" on webserver, and sorts the results first by fields ip and url then filters the top 5 results. It will then output the top 5 results in a xml format to 404s.xml.
./splunk search "404 source="webserver" | sort +ip, url | top limit=5 host | outputxml 404s.xml
page
page: Internal. This data-processing command displays a particular subset of search results. It processes search results by calling a specified subsearch string argument until the maximum number of iterations are made, or the maximum number of results are retrieved. It is typically only used in API search requests.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
page page-range maxresults [subsearch-string]
Arguments
| page-range= | integer-integer | (lower-upper) Specifies the lower and upper boundaries for page iterations. |
| maxresults= | integer | Specifies the maximum number iterations to perform. |
| subsearch-string | Specified subsearch string to call. |
Examples
Splunk Web:
This example returns results 1 through 10 of the search over maxresults of 500.
page 1-10 500 [search *] | outputxml format=rawsave
save: Internal. Save search results to a file that you specify, or to the xml attributes of a single event (if you don't specify a file). Use the soapsafe option to make saved events transportable using the SOAP API.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
save [filename | soapsafe]
Arguments
| filename | string | Specify the name of the file to save results to. |
| soapsafe | soapsafe=(T | F) (default= F) | Set soapsafe to true to make events transportable using the SOAP API.
|
Examples
Splunk Web:
This example saves a report of the daily in dexing volume by server to the file "dailyvolumereport".
index=_internal todaysBytesIndexed LicenseManager-Audit NOT source=*web_service.log NOT source=*web_access.log | eval Daily_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | timechart avg(Daily_Indexing_Volume_in_MBs) by host | save dailyvolumereportsendemail
sendemail: Internal. This data-processing command will email your search results to the email address you specify. You may specify multiple email addresses to send your results to, and you can select the format to send the results in (html, raw, text, csv). You may also choose to send the results in the body of the email, or as an attachment. You must use quotes when specifying an email list.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
sendemail to= "email_list" [email-options]...
Arguments
| email-list= | "email_address,...,email_address" | List of email addresses (email_address= name@whatever.com). |
email-options
| email-options= | from | cc | bcc | format | inline | priority | server | Additional email options you can specify. | |
| from= | from= "email_list"(splunk@hostname) | Specify an email address for the from line. Default = splunk@hostname. | |
| cc= | cc= "email_list" | A comma-separated list of valid email addresses to put in the carbon copy (cc) field. | |
| bcc= | bcc= "email_list" | A comma-separated list of valid email addresses to put in the blind carbon copy (bcc) field. | |
| format= | format=(html | raw | text | csv)(html) | Specify the format of the email that the results are sent in. | |
| inline= | inline=(T | F) (T) | Set whether to have the results sent in the body of the email, or as an attachment. Setting to true sends them in the body of the email. | |
| priority= | priority=(1 | 2 | 3 | 4 | 5) (3) | Set the email's priority. 3 = normal, 1 = highest, 2 = high, 4 = low, 5 = lowest. | |
| server= | server=name of server(localhost) | Set the smtp server. Default is localhost. |
Examples
Splunk Web:
This example searches for "fail" on all sourcetypes that start with "access". Then renames the _raw field as marklar, does a stats operation to find the distinct count, and sends the results to cartman@sp.com in an html-formatted email with the subject "failboat".
fail sourcetype="access*" | rename _raw as marklar | stats dc(marklar) by _time | sendemail from=cartman@sp.com format=html subject=failboat server=mail.sp.comtranslate
translate: Internal. Translate terms of an event into another language (french, german, or spanish). translate replaces terms in _raw with translated terms that you can configure in $SPLUNK_HOME/etc/searchscript/translate.conf.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
translate language
Arguments
| language | string (french | german | spanish) | Specify what language to translate terms to. |
Examples
Splunk Web:
This example searches for events in the directory "/var/log/messages", and translates terms in the results to french.
source="/var/log/messages" | translate frenchThis documentation applies to the following versions of Splunk: 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.