Administrative CLI commands
This topic discusses the administrative CLI commands, which are the commands used to manage or configure your Splunk server and distributed deployment.
For information about accessing the CLI and what is covered in the CLI help, see the previous topic, "Get help with the CLI". If you're looking for details about how to run searches from the CLI, refer to "About CLI searches" in the Search Reference Manual.
Your Splunk role configuration dictates what actions (commands) you can execute. Most actions require you to be a Splunk admin. Read more about setting up and managing Splunk users and roles in the "About users and roles" topic in the Admin Manual.
Splunk CLI command syntax
The general syntax for a CLI command is this:
./splunk <command> [<object>] [[-<parameter>] <value>]...
Note the following:
- Some commands don't require an object or parameters.
- Some commands have a default parameter that can be specified by its value alone.
Commands, objects, and examples
A command is an action that you can perform. An object is something you perform an action on.
|add||exec, forward-server, index, licenser-pools, licenses, master, monitor, oneshot, saved-search, search-server, tcp, udp, user|| 1. Adds monitor directory and file inputs to source |
| 2. Adds another master to the list of instances the searchhead searches across.
|anonymize||source|| 1. Replaces identifying data, such as usernames and IP addresses, in the file located at |
| 2. Anonymizes |
|apply||cluster-bundle|| 1. Makes validated bundle active on peers.
| 2. Skip-validation is an optional argument to skip bundle validation on the master and peers.
|clean||all, eventdata, globaldata, inputdata, userdata, kvstore|| 1. Removes data from Splunk installation. |
| 2. |
|cmd||btool, classify, locktest, locktool, parsetest, pcregextest, regextest, searchtest, signtool, walklex|| 1. Runs the |
|2. Shows contents of the bin directory.
|create||app|| 1. Builds myNewApp from a template.
|disable||app, boot-start, deploy-client, deploy-server, dist-search, index, listen, local-index, maintenance-mode, perfmon, webserver, web-ssl, wmi|| 1. Disables the maintenance mode on peers in indexer clustering. Must be invoked at the master.
|2. Disables the logs1 collection.
|display||app, boot-start, deploy-client, deploy-server, dist-search, jobs, listen, local-index|| 1. Displays status information, such as enabled/disabled, for all apps.
|2. Displays status information for the unix app.
|edit||app, cluster-config, shcluster-config, exec, index, licenser-localslave, licenser-groups, monitor, saved-search, search-server, tcp, udp, user|| 1. Edits the current clustering configuration.
|2. Edits monitored directory inputs in |
|enable||app, boot-start, deploy-client, deploy-server, dist-search, index, listen, local-index, maintenance-mode, perfmon, webserver, web-ssl, wmi|| 1. Sets the maintenance mode on peers in indexer clustering. Must be invoked at the master.
| 2. Enables the |
|export||eventdata, user data||1. Exports data out of your Splunk server into |
|fsck||repair, scan, clear-bloomfilter|
|import||userdata|| 1. Imports user accounts data from directory |
|install||app|| 1. Installs the app from foo.tar to the local Splunk server.
|2. Installs the app from foo.tgz to the local Splunk server.
|list||cluster-buckets, cluster-config, cluster-generation, cluster-peers, deploy-clients, excess-buckets, exec, forward-server, index, inputstatus, licenser-groups, licenser-localslave, licenser-messages, licenser-pools, licenser-slaves, licenser-stacks, licenses, jobs, master-info, monitor, peer-info, peer-buckets, perfmon, saved-search, search-server, tcp, udp, user, wmi|| 1. Lists all active monitored directory and file inputs. This displays files and directories currently or recently monitored by splunkd for change.
|2. Lists all licenses across all stacks.
|offline||NONE|| 1. Used to shutdown the peer in a way that does not affect existing searches. The master rearranges the primary peers for buckets, and fixes up the cluster state in case the enforce-counts flag is set.
|2. Because the |
|package||app|| 1. Packages the stubby app and returns its uri.
|reload||ad, auth, deploy-server, index, listen, monitor, registry, script, tcp, udp, perfmon, wmi|| 1. Reloads your deployment server, in entirety or by server class.
|2. Reloads my_serverclass.
|remove||app, cluster-peers, excess-buckets, exec, forward-server, index, jobs, licenser-pools, licenses, monitor, saved-search, search-server, tcp, udp, user|| 1. Removes the cluster master from the list of instances the searchhead searches across. Uses testsecret as the secret/pass4SymmKey.
|2. Removes the Unix app.
|rtsearch||app, batch, detach, earliest_time, header, id, index_earliest, index_latest, max_time, maxout, output, preview, rt_id, timeout, uri, wrap|| 1. Runs a real-time search that does not line-wrap for individual lines.
|2. Runs a real-time search. Use |
|search||app, batch, detach, earliest_time, header, id, index_earliest, index_latest, latest_time, max_time, maxout, output, preview, timeout, uri, wrap|| 1. Uses the wildcard as the search object. Triggers an asynchronous search and displays the job id and ttl for the search.
|2. Uses |
|set||datastore-dir, deploy-poll, default-hostname, default-index, minfreemb, servername, server-type, splunkd-port, web-port, kvstore-port|| 1. Sets the force indexing ready bit.
|2. Sets |
|show||config, cluster-bundle-status, datastore-dir, deploy-poll, default-hostname, default-index, jobs, minfreemb, servername, splunkd-port, web-port, kvstore-port|| 1. Shows current logging levels.
|2. Shows which deployment server Splunk Enterprise is configured to poll from.
|validate||index|| 1. Uses main as the index to validate. Verifies index paths specified in |
Exporting search results with the CLI
You can use the CLI to export large numbers of search results. For information about how to export search results with the CLI, as well as information about the other export methods offered by Splunk Enterprise, see "Export search results" in the Search Manual.
Troubleshooting with the CLI
Splunk's CLI also includes tools that help with troubleshooting Splunk issues. These tools are invoked using the Splunk CLI command
./splunk cmd <tool>
For the list of CLI utilities, see "Command line tools for use with Support" in the Troubleshooting Manual.
Get help with the CLI
Use the CLI to administer a remote Splunk Enterprise instance
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2