Unsupported search commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Unsupported search commands
The commands on this page are currently unsupported. Unsupported commands are are either experimental, or unfinished. They are not guaranteed to work. When a supported alternative to an unsupported command is available, it is provided in the command's listing.
If a command is marked as Internal, do not use it unless explicitly instructed to do so by Splunk staff.
createrss
createrss: Internal. Create RSS feeds for your saved searches. Use createrss to map an RSS feed to a saved search that's on your local Splunk instance. The RSS feed is updated whenever the saved search that's linked to it triggers an alert.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
createrss path name link descr count [graceful]
Arguments
| path | path=string | Specify the path of the RSS feed. Access your Splunk paths via http://yourSplunkURL/rss/path. |
| name | name=string | Specify a name for the RSS feed. |
| link | link=string | Specify a link to point the RSS feed to. |
| descr | descr=string | Set a description for the RSS feed's description field. |
| count | count=integer | Set the maximum number of items to display in the feed before dropping items. |
| graceful | graceful=(0 | 1) | Set graceful to 0 to have createrss raise an exception when an error occurs. Set graceful to 1 to not raise an exception and just log the error. |
dispatch
The dispatch command is used to execute long-running searches and streaming reports. Using this command in Splunk Web is not supported. However, this command is supported as a command line tool. Using the dispatch command line tool is discussed in further detail in the topic, Search in the CLI.
Syntax
dispatch [ttl] [maxresults] [maxtime] [id] server-list search-pipeline
Arguments
| ttl | ttl=integer(seconds) | Specify the number of seconds the results of the current dispatched search pipeline will live on disk. |
| maxresults | maxresults=integer | Set the maximum number of results to return from the search pipeline. |
| maxtime | maxtime=integer(seconds) | Specify the maximum amount of time to spend on the search before stopping it. |
| id | id=string | Specify the directory to place results in (relative to $SPLUNK_HOME/var/run/splunk/dispatch).
|
| server-list | string (list of servers) | Specify the severs to run the search on (server names). |
| search-pipeline | [string] (the search to dispatch) | Specify the search to dispatch. |
Examples
Search all events and return the top sources. Place the results in the directory $SPLUNK_HOME/var/run/splunk/dispatch/foo.
dispatch id=foo [search * | top source]
Search all events on server1 and server2 and return the top hosts.
dispatch server1 server2 [search * | top host]
From the GUI, you may need to specify a "|". For example:
|dispatch * | top source
folderize
folderize: Internal. Use folderize to group search results into hierarchical buckets by replacing a field value (attr) with a field value broken up by a separator (//sep) you specify. For example, use folderize to group sources from the Splunk homepage to list the directories and categories of the sources.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
folderize attr [folderize-option]...
Arguments
| attr | attr=string | Specify the field to folderize (group). |
folderize-option
| folderize-option= | sep | size | minfolders | maxfolders | Options for folderize. |
| sep | sep=string(default= :: | Specify a string of characters to use to tokenize the field values (attr). |
| size | size=string(default= totalCount) | Specify the field to use as the size. |
| minfolders | minfolders=integer(default=2) | Set the minimum number of folders (groups) to create. |
| maxfolders | maxfolders=integer(default=20) | Set the maximum number of folders (groups) to create. |
Examples
Splunk Web:
Search syslog events, and display a sorted list (descending) of number of events by source.
eventtype="syslog" | folderize attr=source maxfolders=20 sep="/"| sort totalCount d
gentimes
gentimes: Internal. Generate time range results to use in the map command.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
gentimes start=timestamp [end=timestamp] [increment=increment]
Arguments
| timestamp= | string | A timestamp for an event. |
| increment= | integer (s | m | h | d) | Specifies the increment spacing for the time range. s=seconds, m=minutes, h=hours, d=days. |
Examples
Splunk Web:
This example searches for "foo" and generates results within the specified time range.
foo | gentimes start=10/25/07 end=10/26/07
idxprobe
idxprobe: Internal. Use idxprobe to access and process internal information using Splunk's search language. This is useful if you are having Splunk database issues and need help from Splunk support to fix them. Set the mode of idxprobe to handle either tsidx or bucket information. Optionally specify what buckets to look for information in.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
idxprobe [reload] mode [bucket]
Arguments
| reload | reload | Use the "reload" argument to reload the current search. If you don't use reload, then bucket information is cached. |
| mode | (bucket | tsidx) | Specify whether to look at tsidx or bucket information (mode). |
| bucket | string | Optionally specify a list of buckets to generate information for (you can use wildcards). If you specify no buckets, then idxprobe generats information for all buckets.
|
inputcsv
inputcsv: Internal.
Import events directly into Splunk from a CSV file at search time. Use the start argument to specify the offset row (0-based) of the first event (the row to start reading from in the CSV file) to read into Splunk. Use the max argument to specify the maximum number of events to read from the file. Use inputcsv to bring data that you want to process into Splunk that's not currently indexed in an index (and you don't want to add it to an index).
Note: inputcsv doesn't append data to search results. It generates new data for you to process.
Syntax
inputcsv [start] [max] filename
Arguments
| start= | start=integer (default=0) | Specify the offset row to start reading events into Splunk from (starting from 0). |
| max= | max=integer (default = 1000000000) | Specify the maximum number of events to read from the CSV file. |
| filename= | filename (string) | Specify the name of the CSV file to read. The filename must refer to a relative path in $SPLUNK_HOME/var/run/splunk. If the file doesn't have an extension, Splunk assumes it has a .csv extension.
|
Examples
Input oldwebdata.csv into Splunk and produce a report showing the count of client_ip per domain.
| inputcsv oldwebdata.csv | stats count(client_ip) by domain
load
load: Internal. Load a csv file into Splunk. By default, the data in the loaded csv file replaces the search results of the current search. Use the preserve option to keep the results of the current search along with the data you load in using load.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Note: You can only use load to load csv formatted files.
Syntax
load filename [preserve]
Arguments
| filename | string | Specify a csv format file to load into Splunk. |
| preserve | (T | F) (default= F) | Set preserve to true (T) to keep the results of the current search with the data loaded in using load.
|
Examples
Splunk Web:
This example combines the search for "mynewsearch" over the past minute with data loaded from the file "foo" and saves the combination of data in the file "foo2".
mynewsearch minutesago=1 | load foo preserve=true | save foo2
map
map: Internal. Use map to take your search results and map field values to a specified $variable$ in a subsearch or saved search.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
map (search | savedsearch)
Arguments
| search | search="search string" | Specified search string to run map on. |
| savedsearch | name of saved search | Name of the saved search to run map on. |
Examples
Splunk Web:
This example maps field values to the mytimebased_savedsearch.
eutimes | map mytimebased_savedsearch | search mytimebased_savedsearch=foo starttimeeu::$start$ endtimeeu::$end$
outputatom
outputatom: Internal. Use outputatom to convert search results to an Atom feed.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
outputatom
Arguments
None.
Examples
CLI:
This example searches for the word secrets from the source tcpdump, and outputs the data into an Atom feed.
./splunk search 'secrets source="tcpdump" | outputatom'
outputcsv
outputcsv: Internal. This data-processing command is used to output search results in CSV format. This command is useful for formatting result output while using the CLI. If no target filename is specified as an argument, outputcsv rewrites the contents of each search result into a CSV-formatted row in the field "_xml". If a filename is specified, outputcsv writes the CSV-formatted results into the specified file (and appends .csv to the filename if there is no existing extension). If the output spans multiple files, outputcsv can collapse the output to a single file. outputcsv should be the last command specified in a search.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
outputcsv [usexml_option] [filename] [singlefile_option]
Arguments
| usexml_option= | usexml=(T | F) | Specify whether or not to encode the csv output into xml. This option works only when no filename is specified. |
| filename= | string | Name of file to output CSV-formatted results to. Will automatically add a ".csv" extension if there is no extension. The file is stored at $SPLUNK_HOME/var/run/splunk/filename. |
| singlefile_option= | singlefile=(T | F) | If set true, will take an output that spans multiple files and will collapse the files to a single output file. |
Examples
CLI:
This example searches for the word secrets from the source tcpdump, and outputs the data in csv format to the file myfile.csv.
./splunk search 'secrets source="tcpdump" | outputcsv myfile.csv'
outputraw
outputraw: Internal. This data-processing command causes search results to be output in a simple, raw text format. outputraw should be the last command specified in a search.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
outputraw
Arguments
None.
Examples
CLI:
This example searches for the word secrets from the source tcpdump, and outputs the data in raw text format.
./splunk search "secrets source="tcpdump" | outputraw"
outputtext
outputtext: Internal. This data-processing command causes the contents of the _raw field of a result to be written into the " _xml" field. Optionally, you can set outputtext to parse XML escaping characters. outputtext should be the last command specified in a search.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
outputtext [usexml]
Arguments
| usexml= | usexml=(T | F)(T) | If set, the data in the _raw field parse with XML escaping. |
Examples
CLI:
This example searches for "404" on webserver, and sorts the results first by fields ip and url then filters the top 5 results. It will then output the top 5 results in a raw text format.
./splunk search "404 source="webserver" | sort +ip, url | top limit=5 host | outputtext
outputxml
outputxml: Internal. This data-processing command causes search results to be written to a proprietary and internal XML format. outputxml should be the last command specified in a search.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
outputxml [string]
Arguments
| string= | string | Name of xml file to create, to output results to. |
Examples
CLI:
This example searches for "404" on webserver, and sorts the results first by fields ip and url then filters the top 5 results. It will then output the top 5 results in a xml format to 404s.xml.
./splunk search "404 source="webserver" | sort +ip, url | top limit=5 host | outputxml 404s.xml
page
page: Internal. This data-processing command displays a particular subset of search results. It processes search results by calling a specified subsearch string argument until the maximum number of iterations are made, or the maximum number of results are retrieved. It is typically only used in API search requests.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
page page-range maxresults [subsearch-string]
Arguments
| page-range= | integer-integer | (lower-upper) Specifies the lower and upper boundaries for page iterations. |
| maxresults= | integer | Specifies the maximum number iterations to perform. |
| subsearch-string | Specified subsearch string to call. |
Examples
Splunk Web:
This example returns results 1 through 10 of the search over maxresults of 500.
page 1-10 500 [search *] | outputxml format=raw
rawstats
rawstats:Internal. Use rawstats to help you filter and classify events. rawstats adds fields to your events that contain information about their _raw field (fields beginning with rawstat_ are rawstats fields). You can add rawstat_ fields to the fields menu by using the fields picker, or by using the fields command (add | fields * to show all fields, or |fields rawstat_<fieldname> to show a specific rawstat_ field). Once you add rawstat_ fields to the field menu, you can filter your search or report on them just like you can with any other field.
Note: rawstats adds fields that contain the following information about an event's _raw field: blank line count; number of lines starting with characters; number of lines starting with punctuation; counts of alpha-numeric, numeric, lowercase, uppercase, spaces, and other characters; line width and left-margin statistics (average, minimum, maximum, median, standard deviation).
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
rawstats
Arguments
None.
Examples
Splunk Web:
This example searches for all events, adds rawstats information, and adds all fields to the fields menu.
* | rawstats | fields *This example searches for events that are long (have many lines), and narrow.
* | rawstats | search rawstat_width_avg<30 linecount>30
save
save: Internal. Save search results to a file that you specify, or to the xml attributes of a single event (if you don't specify a file). Use the soapsafe option to make saved events transportable using the SOAP API.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
save [filename | soapsafe]
Arguments
| filename | string | Specify the name of the file to save results to. |
| soapsafe | soapsafe=(T | F) (default= F) | Set soapsafe to true to make events transportable using the SOAP API.
|
Examples
Splunk Web:
This example saves a report of the daily in dexing volume by server to the file "dailyvolumereport".
index=_internal todaysBytesIndexed LicenseManager-Audit NOT source=*web_service.log NOT source=*web_access.log | eval Daily_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | timechart avg(Daily_Indexing_Volume_in_MBs) by host | save dailyvolumereport
sendemail
sendemail: Internal. This data-processing command will email your search results to the email address you specify. You may specify multiple email addresses to send your results to, and you can select the format to send the results in (html, raw, text, csv). You may also choose to send the results in the body of the email, or as an attachment. You must use quotes when specifying an email list.
This command is intended to be used by the saved search alerting system. It may work from the UI/CLI in some instances. Specifically, in distributed search configurations it will not work reliably.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
sendemail to= "email_list" [email-options]...
Arguments
| email-list= | "email_address,...,email_address" | List of email addresses (email_address= name@whatever.com). |
email-options
| email-options= | from | cc | bcc | format | inline | priority | server | Additional email options you can specify. | |
| from= | from= "email_list"(splunk@hostname) | Specify an email address for the from line. Default = splunk@hostname. | |
| cc= | cc= "email_list" | A comma-separated list of valid email addresses to put in the carbon copy (cc) field. | |
| bcc= | bcc= "email_list" | A comma-separated list of valid email addresses to put in the blind carbon copy (bcc) field. | |
| format= | format=(html | raw | text | csv)(html) | Specify the format of the email that the results are sent in. | |
| inline= | inline=(True | False) (True) | Set whether to have the results sent in the body of the email, or as an attachment. Setting to true sends them in the body of the email. | |
| priority= | priority=(1 | 2 | 3 | 4 | 5) (3) | Set the email's priority. 3 = normal, 1 = highest, 2 = high, 4 = low, 5 = lowest. | |
| server= | server=name of server(localhost) | Set the smtp server. Default is localhost. |
Examples
Splunk Web:
This example searches for "fail" on all sourcetypes that start with "access". Then renames the _raw field as marklar, does a stats operation to find the distinct count, and sends the results to cartman@sp.com in an html-formatted email with the subject "failboat".
fail sourcetype="access*" | rename _raw as marklar | stats dc(marklar) by _time | sendemail from=cartman@sp.com format=html subject=failboat server=mail.sp.com
tagcreate
Create a tag for results that match specified field/value pairs.
Syntax
tagcreate tag field/value pairs
Arguments
| tag | tag name | Specify a tag to tag results with. |
| field/value pairs | field=value, field=value,... | Specify any number of field value pairs that events must have in order to apply the tag. |
Examples
This example searches for access events and tags events that have host values of 127.0.0.1 or localhost with the tag "local".
eventtype="access" | tagcreate local host=localhost host=127.0.0.1
tagdelete
Delete a tag from results that match specified field/value pairs.
Syntax
tagdelete tag field/value pairs
Arguments
| tag | tag name | Name of tag to apply. | |
| field/value pairs | field=value, field=value,... | Specify any number of field value pairs that events must have in order to apply the tag. |
Examples
This example deletes the "webserver" tag from events that have host value web.
* | tagdelete webserver host=web
tags
Annotate search results with tags after you extract fields during your search (for example, when using the rex command). List fields in a comma-separated list to specify which fields to annotate tags for, or specify no fields to have Splunk annotate tags for all fields.
Note: You only need to use tags to annotate tags to search results if you extract fields during a search. Splunk annotates tags for fields that you configure via configuration files by default.
Syntax
tags [field list]
Arguments
| field list= | field,field,... | Optionally specify fields to annotate tags for. You can use wildcards when specifying field names. If no fields are specified, then Splunk annotates tags for all fields. |
Examples
Splunk Web:
This example searches for events from the splunk-file-interop.log.4 log file and extracts the month field at search time. | tags is appended to display tags for the month field if you have any set for it.
source="/splunk/testlogs/testlogs/splunk-file-interop.log.4" | rex "(?<month>\S+)" | tags
tagset
Set tags for a field/value pair. tagset deletes existing tags and replaces them with the tags that you specify.
Syntax
tagset field-value-pair tags
Arguments
| field-value-pair | field=value | |
| tags | tag,tag,... |
Examples
This example tags all of your events from the web host with the tag "webserver".
* | tagset host=web webserver
translate
translate: Internal. Translate terms of an event into another language (french, german, or spanish). translate replaces terms in _raw with translated terms that you can configure in $SPLUNK_HOME/etc/searchscript/translate.conf.
Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.
Syntax
translate language
Arguments
| language | string (french | german | spanish) | Specify what language to translate terms to. |
Examples
Splunk Web:
This example searches for events in the directory "/var/log/messages", and translates terms in the results to french.
source="/var/log/messages" | translate frenchThis documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.