Splunk Command Line Interface (CLI)
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Splunk Command Line Interface (CLI)
The Splunk Command Line Interface is commonly referred to as the "CLI". The table below lists the commands that you can use while in the CLI.
Use Splunk's CLI help command to get up-to-date descriptions of CLI commands and parameters. Access CLI help by typing ./splunk help while Splunk is running.
CLI commands
CLI commands perform their operations on objects (such as userdata, globaldata, a server, a path to a file, etc).
Syntax
Splunk CLI commands have the syntax:
./splunk command object [- parameter value]...
Here is a list of commands you can use in the CLI:
| ~ Command | ~ Operation | ~ Example | |
| add | Add data inputs, user accounts, or saved searches | ./splunk add tail var/log | |
| anonymize | Anonymize data samples. | ./splunk anonymize file -source '/home/myname/logs/*.log'
| |
| clean | Erase (clean) different types of user-generated data off of the server. | ./splunk clean globaldata
| |
| dispatch | Run a long-running search or report. | stats count" -maxtime 3 | |
| display | Display bundles, or distributed features. | ./splunk display local-index
| |
| disable | Disable bundles and distributed search features. | ./splunk disable listen
| |
| edit | Edit data inputs, user accounts, saved searches, and bundles. | ./splunk edit saved-search apache_errors -terms "404 OR 403" | |
| enable | Enable bundles and distributed search features. | ./splunk enable listen 9997
| |
| export | Export data from the server to a specified directory. | ./splunk export globaldata -auth gwb:d3cidr
| |
| find | Find logs for Splunk to index. | ./splunk find logs "../etc;../var"
| |
| help | Display the default help page for CLI help. | ./splunk help
| |
| import | Import data from a specified directory to the server. | ./splunk import userdata -dir /tmp/export.dat -subset eventtypetags,hosttags
| |
| install | Install bundles to the Splunk server. | ./splunk install bundle /root/downloads/apache.bundle
| |
| list | List status of various server configuration attributes. | ./splunk list tail
| |
| login, logout | Authenticate a session to a Splunk server with an Enterprise license (login). Or, end an authenticated session (logout). | ||
| recover | Recover files in the event of a crash. | ./splunk recover
| |
| refresh | Update a deployment server with current deployment client server information. | ./splunk refresh deploy-client
| |
| reload | Reload deployment clients with current deployment server data. | ./splunk reload deploy-server -class wwwclass
| |
| remove | Remove data inputs, user accounts, saved searches, and bundles. | ./splunk remove bundle myBundle
| |
| resurrect | Make data available that has previously been archived. | ./splunk resurrect /tmp/myarchive test 01/01/2000:00:00:00 01/01/2001:00:00:00
| |
| search | Execute a search. See the search reference in the user guide for details on how to execute a search. | top source" | |
| set | Set current properties of various server attributes. | ./splunk set deploy-poll 10.1.1.5:8089
| |
| show | Show server attributes. | ./splunk show license
| |
| spool | Read a file or directory only one time. Or to read archived files. | ./splunk spool /tmp/logs.tgz
| |
| start,stop,restart | Start, stop, or restart your Splunk server. | ./splunk start
| |
| status | Show the status of Splunk's processes. | ./splunk status splunkd
| |
| test,train | Improve Splunk's handling of dates, source types, and fields. | ./splunk train dates onoes.txt
| |
| unresurrect | Delete directories that have been resurrected. | ./splunk unresurrect foobar 07/01/2004:00:00:00 08/01/2004:00:00:00
| |
| upgrade | Upgrade bundles. | ./splunk upgrade bundle leprechaun.bundle
| |
| validate | Check the correctness of a Splunk index. | ./splunk validate index main
| |
| version | Display Splunk's version and build number. | ./splunk version
|
auth and uri parameters
Use the auth and uri parameters with any CLI command.
auth
Use auth with commands that require authentication to execute. auth is useful if you need to run a command
that requires different permissions to execute than the currently logged in user has.
Note: auth must be the last parameter specified in a CLI command argument.
Syntax:
./splunk command object [-parameter value]... -auth username:password
uri
Use uri to send commands to another Splunk server.
Syntax:
./splunk command object [-parameter value]... -uri specified-server (= [http|https]://name_of_server:port)
Note for Mac users
Mac OS X requires you to have superuser level access to run any command that accesses system files or directories. Run CLI commands using sudo or "su -" for a new shell as root. The recommended method is to use sudo. (By default the user "root" is not enabled but any administrator user can use sudo.)
Enable Splunk to start on system start-up
Enable Splunk to start at system start-up by executing the command: ./splunk enable boot-start.
Splunk automatically creates a script and configuration file in the directory: /System/Library/StartupItems. This script is run at system start, and automatically stops Splunk at system shutdown.
Note: If you are using a Mac OS, you must have root level permissions (or use sudo).
Note: You need administrator access to use sudo..
Example:
Enable Splunk to start at system start up on Mac OS.
- Use the CLI to run:
./splunk enable boot-start
- Use the CLI with sudo:
sudo ./splunk enable boot-start
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.