Splunk® Enterprise

Admin Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Get help with the CLI

This topic discusses how to access Splunk software built-in CLI help reference, which contains information about the CLI commands and how to use them. This topic also briefly discusses the universal parameters, which are parameters that you can use with any CLI command.

Access CLI help reference

If you need to find a CLI command or syntax for a CLI command, use the Splunk software built-in CLI help reference.

Access the default help information with the help command. From $SPLUNK_HOME/bin in *nix or %SPLUNK_HOME%\bin in Windows, type:

./splunk help

This returns a list of objects to help you access more specific CLI help topics, such as administrative commands, clustering, forwarding, licensing, searching, etc.

Universal parameters

Some commands require that you authenticate with a username and password, or specify a target host or app. For these commands you can include one of the universal parameters: auth, app, or uri.

./splunk [command] [object] [-parameter <value> | <value>]... [-app] [-owner] [-uri] [-auth]
Parameter Description
app Specify the app or namespace to run the command; for search, defaults to the Search app.
auth Specify login credentials to execute commands that require you to be logged in.
owner Specify the owner/user context associated with an object; if not specified, defaults to the currently logged in user.
uri Excute a command on any specified (remote) Splunk server.

app

In the CLI, app is an object for many commands, such as create app or enable app. But it is also a parameter that you can add to a CLI command if you want to run that command on a specific app.

Syntax:

./splunk command object [-parameter value]... -app appname 

For example, when you run a search in the CLI, it defaults to the Search app. If want to run the search in another app:

./splunk search "eventype=error | stats count by source" -deatach f -preview t -app unix

auth

If a CLI command requires authentication, Splunk software prompts you to supply the username and password. You can also use the -auth flag to pass this information inline with the command. The auth parameter is also useful if you need to run a command that requires different permissions to execute than the currently logged-in user has.

Note: auth must be the last parameter specified in a CLI command argument.

Syntax:

./splunk command object [-parameter value]... -auth username:password 

uri

If you want to run a command on a remote Splunk Enterprise instance, use the -uri flag to specify the target host.

Syntax:

./splunk command object [-parameter value]... -uri specified-server

Specify the target Splunk Enterprise instance with the following format:

[http|https]://name_of_server:management_port

You can specify an IP address for the name_of_server. Both IPv4 and IPv6 formats are supported; for example, the specified-server may read as: 127.0.0.1:80 or "[2001:db8::1]:80". By default, splunkd listens on IPv4 only. To enable IPv6 support, refer to the instructions in Configure Splunk for IPv6.


Example: The following example returns search results from the remote "splunkserver" on port 8089.

./splunk search "host=fflanda error 404 *.gif" -auth admin -uri https://splunkserver:8089

For more information about the CLI commands you can run on a remote server, see Use the CLI to administer a remote Splunk Enterprise instance.

Useful help topics

When you run the default Splunk software CLI help, you will see these objects listed.

Administrative CLI commands

You can use the CLI for administrative functions such as adding or editing inputs, updating configuration settings, and searching. To see the list of administrative CLI commands, type:

./splunk help commands

These commands are discussed in more detail in Administrative CLI commands.

CLI help for clustering

Index replication, which is also referred to as clustering, is a Splunk feature that consists of clusters of indexers configured to replicate data to achieve several goals: data availability, data fidelity, disaster tolerance, and improved search performance.

You can use the CLI to view and edit clustering configurations on the cluster master or cluster peer. For the list of commands and parameters related to clustering, type in:

./splunk help clustering

For more information, read About clusters and index replication and Configure the cluster with the CLI in Managing Indexers and Clusters of Indexers.

CLI help for Splunk software controls

Use the CLI to start, stop, and restart Splunk server (splunkd) and web (splunkweb) processes or check to see if the process is running. For the list of controls, type in:

./splunk help controls

For more information, read Start and stop Splunk.

CLI help for data management

When you add data to Splunk, Splunk processes it and stores it in an index. By default, data you feed to Splunk is stored in the main index, but you can use the CLI to create and specify other indexes for Splunk to use for different data inputs. To see the list of objects and commands to manage indexes and datastores, type in:

./splunk help datastore
./splunk help index

For more information, read About managing indexes, Set up multiple indexes, and Remove indexes and data from Splunk in Managing indexers and Clusters of Indexers.

CLI help for distributed search deployments

Use the CLI to view and manage your distributed search configurations. For the list of objects and commands, type in:

./splunk help distributed

For more information about how distributed Splunk works and how to configure distributed search, read the Distributed Splunk overview, Components and roles (of a distributed environment), About distributed search, and Configure distributed search in the Distributed Deployment Manual.

CLI help for forwarding and receiving

Splunk deployments can include dozens or hundreds of forwarders forwarding data to one or more receivers. Use the CLI to view and manage your data forwarding configuration. For the list of forwarding objects and commands, type in:

./splunk help forwarding

For more information, read Components and roles and About forwarding and receiving in the Distributed Deployment Manual.

CLI help for search and real-time search

You can also use the CLI to run both historical and real-time searches. Access the help page about Splunk search and real-time search with:

./splunk help search
./splunk help rtsearch

Also, use objects search-commands, search-fields, and search-modifiers to access the respective help descriptions and syntax:

./splunk help search-commands
./splunk help search-fields
./splunk help search-modifiers

Note: The Splunk CLI interprets spaces as breaks. Use dashes between multiple words for topic names that are more than one word.

To learn more about searching your data with the CLI, refer to About CLI searches and Syntax for CLI searches in the Search Reference Manual and Real-time searches and reports in the CLI in the Search Manual.

PREVIOUS
About the CLI
  NEXT
Administrative CLI commands

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters