Search commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Search commands
For the most part, search commands fall into categories based on what they do, such as: filter unwanted information, extract more information, evaluate your data, transform your data into statistical results, and reorder your results. The specific commands themselves may fit more than one category depending on the arguments you use.
Generally:
- Data-generating commands get data out of a Splunk index.
- Filtering and re-ordering commands don't change data within results. These commands allow you to filter a result set, and re-order how results appear.
- Transforming and reporting commands allow you to summarize large result sets, and create useful reports and statistics.
- Evaluating commands evaluate each result, and change the fields or values of fields within each result.
- Extracting commands add fields to results based on raw event data.
- Administrative commands allow you to perform administrative functions.
Note: Some commands can process fields with multiple values; for more information read About fields in the User Manual.
For quick reference, the table below lists all supported Splunk search commands with a short description. Click on a command to redirect to its reference page.
If you want to start searching right away, refer to the Splunk search cheatsheet.
Search command index
| Command | Alias(es) | Description | Related commands |
|---|---|---|---|
abstract
| excerpt | Produces a summary of each search result. | highlight
|
addinfo
| Add fields that contain common information about the current search. | ||
addtotals
| Computes the sum of all numeric fields for each result. | stats
| |
admin
| Returns the values of a specified configuration file. | ||
anomalousvalue
| Finds and summarizes irregular, or uncommon, search results. | anomalies, cluster, kmeans, outlier
| |
associate
| Searches for relationships between pairs of fields. | correlate, contingency
| |
audit
| View audit trail information that is stored in the local audit index. | ||
bucket
| bin, discretize | Puts continuous numerical values into discrete buckets. | chart, timechart
|
chart
| Returns results in a tabular output for charting. | bucket, timechart
| |
cluster
| sic | Clusters similar events together. | anomalies, anomalousvalue, cluster, kmeans, outlier
|
collect
| stash | Puts search results into a summary index. | overlap
|
contingency
| counttable, ctable | Builds a contingency table for two fields. | associate, correlate
|
convert
| Converts field values into numerical values. | ||
correlate
| Calculates the correlation between different fields. | associate, contingency
| |
crawl
| Crawls the filesystem for new sources to index. | ||
dedup
| Removes subsequent results that match a specified criteria. | ||
diff
| Returns the difference between two search results. | ||
eval
| Calculates an expression and puts the value into a field. | where
| |
eventstats
| Adds summary statistics to all search results. | stats
| |
extract
| kv | Extracts field-value pairs from search results. | kvform, multikv, xmlkv, rex
|
fields
| Removes fields from search results. | ||
file
| test | Processes the given file as if it were indexed. | |
fillnull
| Replaces null values with a specified value. | ||
format
| Takes the results of a subsearch and formats them into a single result. | ||
head
| Returns the first number n of specified results. | reverse, tail
| |
highlight
| Causes Splunk Web to highlight specified terms. | ||
iplocation
| Extracts location information from IP addresses. | ||
join
| SQL-like joining of results from the main results pipeline with the results from the subpipeline. | ||
kmeans
| Performs k-means clustering on selected fields. | anomalies, anomalousvalue, cluster, outlier
| |
localize
| Returns a list of the time ranges in which the search results were found. | map, transaction
| |
makemv
| Change a specified field into a multi-valued field during a search. | mvcombine, mvexpand, nomv
| |
metadata
| Returns a list of host, source, or source type values. | ||
multikv
| Extracts field-values from table-formatted events. | ||
mvcombine
| Combines events in search results that have a single differing field value into one result with a multi-value field of the differing field. | mvexpand, makemv, nomv
| |
mvexpand
| Expands the values of a multi-value field nto separate events for each value of the multi-value field. | mvcombine, makemv, nomv
| |
nomv
| Changes a specified multi-valued field into a single-value field at search time. | makemv, mvcombine, mvexpand
| |
outlier
| outlierfilter | Removes outlying numerical values. | anomalies, anomalousvalue, cluster, kmeans
|
overlap
| Finds events in a summary index that overlap in timeave missed events. | collect
| |
rare
| Displays the least common values of a field. | top, stats
| |
regex
| Removes results that match the specified regular expression. | rex, search
| |
rename
| Renames a specified field; wildcards can be used to specify multiple fields. | ||
replace
| Replaces values of specified fields with a specified new value. | ||
reverse
| Reverses the order of the results. | head, sort, tail
| |
rex
| Specify a Perl regular expression named groups to extract fields while you search. | extract, kvform, multikv, xmlkv, regex
| |
run
| Runs an external Perl or Python script as part of your search. | ||
savedsearch
| macro, savedsplunk | Returns the search results of a saved search. | |
search
| Searches Splunk indexes for matching events. | ||
set
| Performs set operations on subsearches. | ||
sort
| Sorts search results by the specified fields. | reverse
| |
stats
| Provides statistics, grouped optionally by fields. | eventstats, top, rare
| |
strcat
| Concatenates string values. | ||
tail
| Returns the last number n of specified results. | head, reverse
| |
timechart
| Create a time series chart and corresponding table of statistics. | chart, bucket
| |
top
| common | Displays the most common values of a field. | rare, stats
|
transaction
| transam | Groups search results into transactions. | |
typelearner
| Generates suggested eventtypes. | typer
| |
where
| Performs arbitrary filtering on your data. | eval
| |
xmlkv
| Extracts XML key-value pairs. | extract, kvform, multikv, rex
| |
xmlunescape
| Unescapes XML. |
Search command reference syntax
See the search pipeline syntax page for a description of the search command pipeline in modified BNF (Backus - Naur Form).
Command syntax and conventions
Each command in this search reference is formatted:
command argument ... [argument] ...
- Commands are in bold.
- Any bolded (and not italicized) character in the command syntax is required for the expression.
- Required arguments are italicized (and can be bold). Optional arguments are in [brackets].
- Ellipses, ..., indicate that many arguments can be inserted.
Arguments are defined in a table, such as:
| argument | syntax and value(default value) | Description, and usage. |
- Default values are shown in parentheses ( ).
- Arguments that have a table of options associated with them are italicized and in bold (argument).
- The pipe character, |, is used as a logical OR, for example
T | Fmeans "True OR False".
Examples conventions
Command examples that are applicable to Splunk Web are shown in a mock-up of a search bar.
foo | top fooFieldCommand examples that are applicable to the Splunk command line (CLI) are shown in indented fixed-width font.
./splunk search "foo | top fooField"
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.