CLI search syntax
CLI search syntax
This is a quick discussion of the syntax and options available for using the search and rtsearch commands in the CLI.
CLI help for search
You can access the CLI help information for search and rtsearch by typing:
./splunk help search|rtsearch
You can also view information about the search language that the CLI supports by typing:
./splunk help search-commands|search-fields|search-modifiers
Note: By default, results from CLI searches are limited to 100 events. If you want to increase this limit, see the maxout flag below.
Syntax for CLI searches
The syntax for CLI searches is similar to the syntax for searches you run from Splunk Web except that you can pass parameters outside of the search object to control the time limit of the search, tell Splunk which server to run the search, and specify how Splunk displays results.
search | rtsearch [object][-parameter <value>]
Search objects
Search objects are enclosed in single quotes (' ') and can be keywords, expressions, or a series of search commands. On Windows OS use double quotes (" ") to enclose your search object.
- For more information about searching in Splunk, see the "Start searching" topic in the User manual.
- For the complete list of search commands, see "All search commands" in the Search Reference Manual.
- For a quick reference search language and search commands, see the "Search Command Cheat Sheet and Search Language Quick Reference Card" in the Search Reference Manual.
Search objects can include not only keywords and search commands but also fields and modifiers to specify the events you want to retrieve and the results you want to generate.
- For more information about fields, see the "Use fields to search" topic in the Splunk Tutorial.
- For more information about default fields and how to use them, see the "Use default and internal fields" topic in the User Manual.
- For more information about time modifiers, see the "Time modifiers for search" topic in the Search Reference Manual.
Search parameters
Search parameters are options that control the way the search is run or the way the search results are displayed. All of these parameters are optional. Parameters that take Boolean values support {0, false, f, no} as negatives and {1, true, t, yes} positives.
| Parameter | Value(s) | Default(s) | Description |
|---|---|---|---|
app
| <app_name> | search | Specify the name of the app in which to run your search. |
batch
| <bool> | F | Indicates how to handle updates in preview mode. |
detach
| <bool> | F | Triggers an asynchronous search and displays the job ID and TTL for the search. |
header
| <bool> | T | Indicates whether to display a header in the table output mode. |
max_time
| <number> | 0 | The length of time in seconds that a search job runs before it is finalized. A value of 0 means that there is no time limit. |
maxout
| <number> | search, 100
rtsearch, 0 | The maximum number of events to return or send to stdout (when exporting events). The maximum allowable value is 10000. A value of 0 means that it will output an unlimited number of events. |
output
| rawdata, table, csv, auto | For non-transforming searches, rawdata.
For transforming searches, table. | Indicates how to display the job. |
preview
| <bool> | T | Indicates that reporting searches should be previewed (displayed as results are calculated). |
timeout
| <number> | 0 | The length of time in seconds that a search job is allowed to live after running. A value of 0 means that the job is canceled immediately after it is run. |
uri
| [http|https]://name_of_server:management_port | Specify the server name and management port. name_of_server can be the fully-resolved domain name or the IP address of the Splunk server.
The default uri value is the For more information, see Access and use the CLI on a remote Splunk Server in the Admin manual. | |
wrap
| <bool> | T | Indicates whether to line wrap for individual lines that are longer than the terminal width. |
Examples
You can see more examples in the CLI help information.
Example 1: Retrieve events from yesterday that match root sessions.
./splunk search "session root daysago=1"
Example 2: Retrieve events that match web access errors and detach the search.
./splunk search 'eventtype=webaccess error' -detach true
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.