Splunk® Enterprise

Admin Manual

Download manual as PDF

About the CLI

You can use the Splunk platform command line interface (CLI) to monitor, configure, and execute searches. The CLI help exists in the product and is accessible through a terminal or shell interface. This topic discusses how to access this information.

Access the CLI

The Splunk platform CLI commands are located in $SPLUNK_HOME/bin/splunk.

To access Splunk platform CLI, you need either:

  • Shell access to a Splunk platform instance or forwarder, or
  • Permission to access the correct port on a remote Splunk platform instance.

You can find the Splunk installation path on your instance through Splunk Web. Click Settings > Server settings > General settings.

CLI help documentation

If you have administrator privileges, you can use the CLI not only to search but also to configure and monitor your Splunk server (or servers). The CLI commands used for configuring and monitoring Splunk are not search commands. Search commands are arguments to the search and dispatch CLI commands. Some commands require you to authenticate with a username and password or specify a target Splunk server.

You can look up help information for the CLI using:

./splunk help

For more information about how to access help for specific CLI commands or tasks, see "Get help with the CLI" and "Administrative CLI commands" in this manual.

Work with the CLI on *nix

If you have administrator or root privileges, you can simplify CLI access by adding the top level directory of your Splunk platform installation, $SPLUNK_HOME/bin, to your shell path.

This example works for Linux/BSD/Solaris users who installed Splunk Enterprise in the default location:

# export SPLUNK_HOME=/opt/splunk
# export PATH=$SPLUNK_HOME/bin:$PATH

This example works for Mac users who installed Splunk Enterprise in the default location:

# export SPLUNK_HOME=/Applications/Splunk
# export PATH=$SPLUNK_HOME/bin:$PATH

Now you can invoke CLI commands using:

./splunk <command>

To set the $SPLUNK_HOME environment variable while working in a CLI session:

  • In *nix: source /opt/splunk/bin/setSplunkEnv
  • In Windows: splunk.exe envvars > setSplunkEnv.bat & setSplunkEnv.bat

Mac OS X requires elevated privileges to access system files or directories

Mac OS X requires superuser level access to run any command that accesses system files or directories. Run CLI commands using sudo or "su -" for a new shell as root. The recommended method is to use sudo. (By default the user "root" is not enabled but any administrator user can use sudo.)

Work with the CLI on Windows

To run CLI commands in Splunk Enterprise on Windows, open a PowerShell window or an Administrator-level command prompt.

Windows does not set the SPLUNK_HOME or other Splunk Enterprise environment variables by default. You must set these variables manually.

Set Splunk Enterprise environment variables temporarily

  1. Open a PowerShell window or command prompt.
  2. Enter the following command from within either the PowerShell window or command prompt to set environment variables temporarily, or use the Environment Variables dialog box in Computer Properties to set the variables permanently.

    PowerShell Command prompt
    $splunk_home=C:\Program Files\Splunk set SPLUNK_HOME="C:\Program Files\Splunk"
  3. Use the variable to run Splunk commands.
    PowerShell Command prompt
    $splunk_home\bin\splunk status %SPLUNK_HOME%\bin\splunk add forward-server -auth admin:changeme

Set Splunk Enterprise environment variables permanently

After you complete this procedure, Windows uses the values you set for the variables until you either change or delete the variable entries.

  1. From the Start Menu, click Control Panel. (On Windows 8.1 and 10 and Windows Server 2012 R2, you might need to hit the Start key on the keyboard or use the hot corners on the right side of the screen to get the Start Menu / Charms bar to appear.)
  2. In Control Panel, click System and Security.
  3. Under System, click See the name of this computer.
  4. Click Change settings
  5. In the System Properties dialog box, click the Advanced tab.
  6. Click Environment Variables.
  7. Under User variables for <user>, click New.
  8. In the Variable name field in the New user variable dialog box, type in SPLUNK_HOME.
  9. In the Variable value field, type in the full path of where you installed Splunk Enterprise.
  10. Click OK to save the new variable.
  11. Click OK to close the Environment variables dialog box.
  12. Click OK to close the System Properties dialog box.


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around using the CLI.

Back up configuration information
Get help with the CLI

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.3.0, 6.3.1, 6.3.1511, 6.3.2, 6.3.3, 6.3.4, 6.4.0, 6.4.1 View the Article History for its revisions.


http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/AbouttheCLI#How_to_access_the_CLI<br />^ that talks about setting up the "$PATH" then goes on to say "./splunk"<br /><br />It should probably instead say to "hash -r" then invoke as "splunk"

March 21, 2013

Logan, i recommend you try the User Manual to get some ideas:<br />http://www.splunk.com/base/Documentation/latest/User/<br /><br />tell Splunk to index some data, and then run a search for * in the Search app to see the events

August 23, 2010

How do you use splunk? So far all the technical docs just tell you what you can do. I would like to know how to check that what I have configured actually works. a step by step guide with basic examples would be nice.

August 20, 2010

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters