Use the CLI to administer a remote Splunk Enterprise instance
You can use the -uri
argument with any CLI command to send that command to another Splunk Enterprise instance and view the results on your local instance.
Read this topic to learn about the following concepts:
- Syntax for using the
uri
argument. - How the CLI verifies the host name of the remote server you are connecting to
- CLI commands that you cannot use remotely.
Remote CLI access is disabled by default for the admin user until you have changed its default password.
The CLI verifies the host names of machines to which it connects over TLS
In version 9.0.0 and higher of Splunk Enterprise, the CLI verifies the host name of the machine you connect to using the -uri
argument. This validation check also happens on the local instance if you use the -uri
argument to connect locally.
If the machine does not have valid transport layer security (TLS) certificates installed and configured, the remote CLI connection fails. Failed connections do not return any information from the remote instance.
You can temporarily disable TLS host name verification by using the -no-host-name-check
argument within the CLI command, but this reduces security overall and subjects you to potential cyberattacks between the instance on which you run the CLI and the instance to which the CLI attempts to connect.
For more information on TLS certificates and how to obtain, install, and configure them, see About securing the Splunk platform with TLS in Securing the Splunk Platform.
Enable remote access
If you run Splunk Free, which has no login credentials, remote access is disabled by default until you've edited the [general]
stanza of the $SPLUNK_HOME/etc/system/local/server.conf
configuration file, and set the following value:
allowRemoteLogin=always
The add oneshot
command works on local instances but cannot be used remotely.
For more information about editing configuration files, see About configuration files in this manual.
Send CLI commands to a remote server
The general syntax for using the uri
parameter with any CLI command is:
./splunk command object [-parameter <value>]... [-no-host-name-check] -uri <specified-server>
The uri
value, specified-server
is formatted as:
[http|https]://name_of_server:management_port
Also, the name_of_server
can be the fully resolved domain name or the IP address of the remote Splunk Enterprise instance.
This uri
value is the mgmtHostPort
value that you defined in the web.conf
configuration file on the remote Splunk Enterprise instance. For more information, see the web.conf reference.
For general information about the CLI, see About the CLI and Get help with the CLI in this manual.
Search a remote instance
The following example returns search results from the remote "splunkserver".
./splunk search "host=fflanda error 404 *.gif" -uri https://splunkserver:8089
For details on syntax for searching using the CLI, refer to About CLI searches in the Search Reference Manual.
View apps installed on a remote instance
The following example returns the list of apps that are installed on the remote "splunkserver".
./splunk display app -uri https://splunkserver:8089
Change your default URI value
You can set a default URI value using the SPLUNK_URI environment variable. If you change this value to be the URI of the remote server, you do not need to include the uri
parameter each time you want to access that remote server.
To change the value of SPLUNK_URI, type either:
$ export SPLUNK_URI=[http|https]://name_of_server:management_port # For Unix shells C:\> set SPLUNK_URI=[http|https]://name_of_server:management_port # For Windows shell
For the examples above, you can change your SPLUNK_URI value by typing:
$ export SPLUNK_URI=https://splunkserver:8089
CLI commands you cannot run remotely
You can run most CLI commands remotely, with a few exceptions.
You cannot remotely run commands that control the server. These server control commands include:
- start, stop, restart
- status, version
In addition, you cannot run these commands remotely:
- add, edit, list, remove search-server
- add oneshot
You can view all CLI commands by accessing the CLI help reference. See Get help with the CLI in this manual.
Administrative CLI commands | Customize the CLI login banner |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!