All search commands

All search commands

The table below lists all search commands with a short description and links to their individual reference pages. For a quick guide with examples for use of these search commands, refer to the Search cheat sheet.

Some of these commands share functions -- you can see a list of these functions with descriptions and examples on the following pages: Functions for eval and where and Functions for stats, chart, and timechart.

Command	Alias(es)	Description	See also
abstract	excerpt	Produces a summary of each search result.	highlight
accum		Keeps a running total of the specified numeric field.	autoregress, delta, trendline, streamstats
addinfo		Add fields that contain common information about the current search.	search
addtotals	addcoltotals	Computes the sum of all numeric fields for each result.	stats
analyzefields		Analyze numerical fields for their ability to predict another discrete field.	anomalousvalue
anomalies		Computes an "unexpectedness" score for an event.	anomalousvalue, cluster, kmeans, outlier
anomalousvalue		Finds and summarizes irregular, or uncommon, search results.	analyzefields, anomalies, cluster, kmeans, outlier
append		Appends subsearch results to current results.	appendcols, appendcsv, appendlookup, join, set
appendcols		Appends the fields of the subsearch results to current results, first results to first result, second to second, etc.	append, appendcsv, appendlookup, join, set
associate		Identifies correlations between fields.	correlate, contingency
audit		Returns audit trail information that is stored in the local audit index.
autoregress		Sets up data for calculating the moving average.	accum, autoregress, delta, trendline, streamstats
bucket	bin, discretize	Puts continuous numerical values into discrete sets.	chart, timechart
chart		Returns results in a tabular output for charting. See also, Functions for stats, chart, and timechart.	bucket, sichart, timechart
cluster	sic	Clusters similar events together.	anomalies, anomalousvalue, cluster, kmeans, outlier
collect	stash	Puts search results into a summary index.	overlap
contingency	counttable, ctable	Builds a contingency table for two fields.	associate, correlate
convert		Converts field values into numerical values.	eval
correlate		Calculates the correlation between different fields.	associate, contingency
crawl		Crawls the filesystem for new sources to index.
dbinspect		Returns information about the specified index.
dedup		Removes subsequent results that match a specified criteria.	uniq
delta		Computes the difference in field value between nearby results.	accum, autoregress, trendline, streamstats
diff		Returns the difference between two search results.
dispatch		Encapsulates long running, streaming reports.
eval		Calculates an expression and puts the value into a field. See also, Functions for eval and where.	where
eventstats		Adds summary statistics to all search results.	stats
extract	kv	Extracts field-value pairs from search results.	kvform, multikv, xmlkv, rex
fields		Removes fields from search results.
file	test	Processes the given file as if it were indexed.
fillnull		Replaces null values with a specified value.
format		Takes the results of a subsearch and formats them into a single result.
gentimes		Generates time-range results.
head		Returns the first number n of specified results.	reverse, tail
highlight		Causes Splunk Web to highlight specified terms.
input		Adds sources to Splunk or disables sources from being processed by Splunk.
inputcsv		Loads search results from the specified CSV file.	load, outputcsv
iplocation		Extracts location information from IP addresses.
join		SQL-like joining of results from the main results pipeline with the results from the subpipeline.	selfjoin, appendcols
kmeans		Performs k-means clustering on selected fields.	anomalies, anomalousvalue, cluster, outlier
kvform		Extracts values from search results, using a form template.	extract, kvform, multikv, xmlkv, rex
loadjob		Loads search results from a specified CSV file.	inputcsv
localize		Returns a list of the time ranges in which the search results were found.	map, transaction
lookup		Explicitly invokes field value lookups.
makecontinuous		Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart)	chart, timechart
makemv		Change a specified field into a multivalued field during a search.	mvcombine, mvexpand, nomv
map		A looping operator, performs a search over each search result.
mvcombine		Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field.	mvexpand, makemv, nomv
multikv		Extracts field-values from table-formatted events.
mvexpand		Expands the values of a multivalue field nto separate events for each value of the multivalue field.	mvcombine, makemv, nomv
nomv		Changes a specified multivalued field into a single-value field at search time.	makemv, mvcombine, mvexpand
outlier	outlierfilter	Removes outlying numerical values.	anomalies, anomalousvalue, cluster, kmeans
outputcsv		Outputs search results to a specified CSV file.	inputcsv, outputatom, outputraw, outputtext
outputtext		Ouputs the raw text field (_raw) of results into the _xml field.	outputatom, outputraw, outputtext
overlap		Finds events in a summary index that overlap in timeave missed events.	collect
rangemap		Sets RANGE field to the name of the ranges that match.
rare		Displays the least common values of a field.	sirare, stats, top
relevancy		Calculates how well the event matches the query.
rename		Renames a specified field; wildcards can be used to specify multiple fields.
replace		Replaces values of specified fields with a specified new value.
reverse		Reverses the order of the results.	head, sort, tail
rex		Specify a Perl regular expression named groups to extract fields while you search.	extract, kvform, multikv, xmlkv, regex
savedsearch	macro, savedsplunk	Returns the search results of a saved search.
script	run	Runs an external Perl or Python script as part of your search.
scrub		Anonymizes the search results.
search		Searches Splunk indexes for matching events.
selfjoin		Joins results with itself.	join
sendemail		Emails search results to a specified email address.
set		Performs set operations on subsearches.
sichart		Summary indexing version of chart.	chart, sitimechart, timechart
sirare		Summary indexing version of rare.	rare
sistats		Summary indexing version of stats.	stats
sitimechart		Summary indexing version of timechart.	chart, sichart, timechart
sitop		Summary indexing version of top.	top
sort		Sorts search results by the specified fields.	reverse
stats		Provides statistics, grouped optionally by fields. See also, Functions for stats, chart, and timechart.	eventstats, top, rare
strcat		Concatenates string values.
streamstats		Adds summary statistics to all search results in a streaming manner.	eventstats, stats
tail		Returns the last number n of specified results.	head, reverse
timechart		Create a time series chart and corresponding table of statistics. See also, Functions for stats, chart, and timechart.	chart, bucket
top	common	Displays the most common values of a field.	rare, stats
transaction	transam	Groups search results into transactions.
trendline		Computes moving averages of fields.	timechart
typeahead		Returns typeahead information on a specified prefix.
typelearner		Generates suggested eventtypes.	typer
typer		Calculates the eventtypes for the search results.	typelearner
uniq		Removes any search that is an exact duplicate with a previous result.	dedup
untable		Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.
where		Performs arbitrary filtering on your data. See also, Functions for eval and where.	eval
xmlkv		Extracts XML key-value pairs.	extract, kvform, multikv, rex
xmlunescape		Unescapes XML.
xpath		Redefines the XML path.
xyseries		Converts results into a format suitable for graphing.

• Was this topic useful?
• Post a comment