About searches in the CLI

About searches in the CLI

You can use the Splunk CLI to monitor, configure, and execute searches on your Splunk server. This topic discusses how to search from the CLI.

• If you're looking for how to access the CLI and find help for it, refer to "About the CLI" in the Admin manual.

CLI help for search

You can run both historical and real-time searches from the CLI in Splunk by invoking the search or rtsearch commands, respectively. The following is a table of useful search-related CLI help objects. To see the full help information for each object, type into the CLI:

./splunk help <object>

Object	Description
rtsearch	Returns the parameters and syntax for real-time searches.
search	Returns the parameters and syntax for historical searches.
search-commands	Returns a list of search commands that you can use from the CLI.
search-fields	Returns a list of default fields.
search-modifiers	Returns a list of search and time-based modifiers that you can use to narrow your search.

Search in the CLI

Historical and real-time searches in the CLI work the same way as searches in Splunk Web except that there is no timeline rendered with the search results and there is no default time range. Instead, the results are displayed as a raw events list or a table, depending on the type of search.

• For more information, read "Type of searches" in the Search Overview chapter of the Search Manual.

The syntax for CLI searches is similar to the syntax for searches you run from Splunk Web except that you can pass parameters outside of the query to control the time limit of the search, tell Splunk which server to run the search, and specify how Splunk displays results.

• For more information about the CLI search options, see the next topic in this chapter, "CLI search syntax".
• For more information about how to search remote Splunk servers from your local server, see "Access and use the CLI on a remote server" in the Admin manual.

• Was this topic useful?
• Post a comment