CLI commands
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
CLI commands
The Splunk command line interface is commonly referred to as the "CLI". The table below lists the commands that you can use while in the CLI.
Use Splunk's CLI help command to get up-to-date descriptions of CLI commands and parameters. Access CLI help by typing ./splunk help while Splunk is running. CLI commands perform their operations on objects (such as userdata, a server, a path to a file, etc).
Syntax
Splunk CLI commands have the syntax:
./splunk command object [- parameter value]...
Command list
Here is a list of available commands in the CLI:
| Command | Operation | Example |
|---|---|---|
| add | Add data inputs, user accounts, or saved searches. | ./splunk add monitor var/log
|
| anonymize | Anonymize data samples. | ./splunk anonymize file -source '/home/myname/logs/*.log'
|
| clean | Erase (clean) different types of user-generated data off of the server. | ./splunk clean userdata
|
| dispatch | Run a long-running search or report. | ./splunk dispatch "source=*hot* | stats count" -maxtime 3
|
| display | Display applications, indexes, or distributed features. | ./splunk display local-index
|
| disable | Disable applications and distributed search features. | ./splunk disable listen
|
| edit | Edit data inputs, user accounts, and saved searches. | ./splunk edit saved-search apache_errors -terms "404 OR 403"
|
| enable | Enable Splunk features, and distributed search features. | ./splunk enable listen 9997
|
| export | Export data from the server to a specified directory. | ./splunk export eventdata -auth gwb:d3cidr
|
| find | Find logs for Splunk to index. | ./splunk find logs "../etc;../var"
|
| help | Display the default help page for Splunk's CLI help. | ./splunk help
|
| import | Import data from a specified directory to the server. | ./splunk import userdata -dir /tmp/export.dat -subset eventtypetags,hosttags
|
| list | List status of various server configuration attributes. | ./splunk list tail
|
| login, logout | Authenticate a session to a Splunk server with an Enterprise license (login). Or, end an authenticated session (logout). | |
| refresh | Update a deployment server with current deployment client server information. | ./splunk refresh deploy-client
|
| reload | Reload deployment clients with current deployment server data. | ./splunk reload deploy-server -class wwwclass
|
| remove | Remove data inputs, user accounts, and saved searches. | ./splunk remove monitor
|
| resurrect | Make data available that has previously been archived. | ./splunk resurrect /tmp/myarchive test 01/01/2000:00:00:00 01/01/2001:00:00:00
|
| search | Execute a search. See the search reference to learn how to execute a search. | ./splunk search '404 | top source'
|
| set | Set current properties of various server attributes. | ./splunk set deploy-poll 10.1.1.5:8089
|
| show | Show server attributes. | ./splunk show license
|
| spool | Read a file or directory only one time. Or to read archived files. | ./splunk spool /tmp/logs.tgz
|
| start,stop,restart | Start, stop, or restart your Splunk server. | ./splunk start
|
| status | Show the status of Splunk's processes. | ./splunk status splunkd
|
| test,train | Improve Splunk's handling of dates, source types, and fields. | ./splunk train dates
|
| unresurrect | Delete directories that have been resurrected. | ./splunk unresurrect foobar 07/01/2004:00:00:00 08/01/2004:00:00:00
|
| validate | Validate the integrity of a Splunk index. | ./splunk validate index main
|
| version | Display Splunk's version and build number. | ./splunk version
|
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.