All search commands
All search commands
The table below lists all search commands with a short description and links to their individual reference pages. For a quick guide with examples for use of these search commands, refer to the Search cheat sheet.
Some of these commands share functions -- you can see a list of these functions with descriptions and examples on the following pages: Functions for eval and where and Functions for stats, chart, and timechart.
| Command | Alias(es) | Description | See also |
|---|---|---|---|
abstract
| excerpt | Produces a summary of each search result. | highlight
|
accum
| Keeps a running total of the specified numeric field. | autoregress, delta, trendline, streamstats
| |
addcoltotals
| Computes an event that contains sum of all numeric fields for previous events. | addtotals, stats
| |
addinfo
| Add fields that contain common information about the current search. | search
| |
addtotals
| Computes the sum of all numeric fields for each result. | addcoltotals, stats
| |
analyzefields
| Analyze numerical fields for their ability to predict another discrete field. | anomalousvalue
| |
anomalies
| Computes an "unexpectedness" score for an event. | anomalousvalue, cluster, kmeans, outlier
| |
anomalousvalue
| Finds and summarizes irregular, or uncommon, search results. | analyzefields, anomalies, cluster, kmeans, outlier
| |
append
| Appends subsearch results to current results. | appendcols, appendcsv, appendlookup, join, set
| |
appendcols
| Appends the fields of the subsearch results to current results, first results to first result, second to second, etc. | append, appendcsv, appendlookup, join, set
| |
appendpipe
| Appends the result of the subpipeline applied to the current result set to results. | append, appendcols, join, set
| |
associate
| Identifies correlations between fields. | correlate, contingency
| |
audit
| Returns audit trail information that is stored in the local audit index. | ||
autoregress
| Sets up data for calculating the moving average. | accum, autoregress, delta, trendline, streamstats
| |
bucket
| bin, discretize | Puts continuous numerical values into discrete sets. | chart, timechart
|
bucketdir
| Replaces a field value with higher-level grouping, such as replacing filenames with directories. | cluster, dedup
| |
chart
| Returns results in a tabular output for charting. See also, Functions for stats, chart, and timechart. | bucket, sichart, timechart
| |
cluster
| sic | Clusters similar events together. | anomalies, anomalousvalue, cluster, kmeans, outlier
|
collect
| stash | Puts search results into a summary index. | overlap
|
concurrency
| Uses a duration field to find the number of "concurrent" events for each event. | timechart
| |
contingency
| counttable, ctable | Builds a contingency table for two fields. | associate, correlate
|
convert
| Converts field values into numerical values. | eval
| |
correlate
| Calculates the correlation between different fields. | associate, contingency
| |
crawl
| Crawls the filesystem for new sources to index. | ||
dbinspect
| Returns information about the specified index. | ||
dedup
| Removes subsequent results that match a specified criteria. | uniq
| |
delete
| Delete specific events or search results. | ||
delta
| Computes the difference in field value between nearby results. | accum, autoregress, trendline, streamstats
| |
diff
| Returns the difference between two search results. | ||
dispatch
| Encapsulates long running, streaming reports. | ||
erex
| Allows you to specify example or counter example values to automatically extract fields that have similar values. | extract, kvform, multikv, regex, rex, xmlkv
| |
eval
| Calculates an expression and puts the value into a field. See also, Functions for eval and where. | where
| |
eventstats
| Adds summary statistics to all search results. | stats
| |
extract
| kv | Extracts field-value pairs from search results. | kvform, multikv, xmlkv, rex
|
fieldformat
| Expresses how to render a field at output time without changing the underlying value. | eval, where
| |
fields
| Removes fields from search results. | ||
file
| This command is no longer supported. See inputcsv. | ||
filldown
| Replaces NULL values with the last non-NULL value. | fillnull
| |
fillnull
| Replaces null values with a specified value. | ||
format
| Takes the results of a subsearch and formats them into a single result. | ||
gauge
| Transforms results into a format suitable for display by the Gauge chart types. | ||
gentimes
| Generates time-range results. | ||
head
| Returns the first number n of specified results. | reverse, tail
| |
highlight
| Causes Splunk Web to highlight specified terms. | ||
history
| Returns a history of searches formatted as an events list or as a table. | search
| |
iconify
| Causes Splunk Web to make a unique icon for each value of the fields listed. | highlight
| |
input
| Adds sources to Splunk or disables sources from being processed by Splunk. | ||
inputcsv
| Loads search results from the specified CSV file. | loadjob, outputcsv
| |
inputlookup
| Loads search results from a specified static lookup table. | inputcsv, join, lookup, outputlookup
| |
iplocation
| Extracts location information from IP addresses. | ||
join
| SQL-like joining of results from the main results pipeline with the results from the subpipeline. | selfjoin, appendcols
| |
kmeans
| Performs k-means clustering on selected fields. | anomalies, anomalousvalue, cluster, outlier
| |
kvform
| Extracts values from search results, using a form template. | extract, kvform, multikv, xmlkv, rex
| |
loadjob
| Loads search results from a specified CSV file. | inputcsv
| |
localize
| Returns a list of the time ranges in which the search results were found. | map, transaction
| |
lookup
| Explicitly invokes field value lookups. | ||
makecontinuous
| Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) | chart, timechart
| |
makemv
| Change a specified field into a multivalued field during a search. | mvcombine, mvexpand, nomv
| |
map
| A looping operator, performs a search over each search result. | ||
mappy
| Similar to the eval operator, except it uses a Python expression to calculate the outfield for each result.
| extract, iconify, reducepy, rex, xmlkv, xpath, xmlunescape
| |
metadata
| Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. | dbinspect
| |
metasearch
| Retrieves event metadata from indexes based on terms in the logical expression. | metadata, search
| |
multikv
| Extracts field-values from table-formatted events. | ||
mvcombine
| Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. | mvexpand, makemv, nomv
| |
mvexpand
| Expands the values of a multivalue field nto separate events for each value of the multivalue field. | mvcombine, makemv, nomv
| |
nomv
| Changes a specified multivalued field into a single-value field at search time. | makemv, mvcombine, mvexpand
| |
outlier
| outlierfilter | Removes outlying numerical values. | anomalies, anomalousvalue, cluster, kmeans
|
outputcsv
| Outputs search results to a specified CSV file. | inputcsv, outputtext
| |
outputlookup
| Writes search results to the specified static lookup table. | inputlookup, lookup, outputcsv, outputlookup
| |
outputtext
| Ouputs the raw text field (_raw) of results into the _xml field.
| outputtext
| |
overlap
| Finds events in a summary index that overlap in time or have missed events. | collect
| |
rangemap
| Sets RANGE field to the name of the ranges that match. | ||
rare
| Displays the least common values of a field. | sirare, stats, top
| |
reducepy
| Applies Python's reduce function over search results. | extract, iconify, mappy, rex, xmlkv, xmlunescape, xpath
| |
regex
| Removes results that do not match the specified regular expression. | rex, search
| |
relevancy
| Calculates how well the event matches the query. | ||
reltime
| Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field, 'reltime', in your search results. | convert
| |
rename
| Renames a specified field; wildcards can be used to specify multiple fields. | ||
replace
| Replaces values of specified fields with a specified new value. | ||
reverse
| Reverses the order of the results. | head, sort, tail
| |
rex
| Specify a Perl regular expression named groups to extract fields while you search. | extract, kvform, multikv, xmlkv, regex
| |
rtorder
| Buffers events from real-time search to emit them in ascending time order when possible. | ||
run
| See script.
| ||
savedsearch
| macro, savedsplunk | Returns the search results of a saved search. | |
script
| run | Runs an external Perl or Python script as part of your search. | |
scrub
| Anonymizes the search results. | ||
search
| Searches Splunk indexes for matching events. | ||
searchtxn
| Finds transaction events within specified search constraints. | transaction
| |
selfjoin
| Joins results with itself. | join
| |
sendemail
| Emails search results to a specified email address. | ||
set
| Performs set operations on subsearches. | ||
setfields
| Sets the field values for all results to a common value. | eval, fillnull, rename
| |
sichart
| Summary indexing version of chart. | chart, sitimechart, timechart | |
sirare
| Summary indexing version of rare. | rare | |
sistats
| Summary indexing version of stats. | stats | |
sitimechart
| Summary indexing version of timechart. | chart, sichart, timechart | |
sitop
| Summary indexing version of top. | top | |
sort
| Sorts search results by the specified fields. | reverse
| |
spath
| Provides a straightforward means for extracting fields from structured data formats, XML and JSON. | xpath
| |
stats
| Provides statistics, grouped optionally by fields. See also, Functions for stats, chart, and timechart. | eventstats, top, rare
| |
strcat
| Concatenates string values. | ||
streamstats
| Adds summary statistics to all search results in a streaming manner. | eventstats, stats | |
table
| Creates a table using the specified fields. | fields
| |
tags
| Annotates specified fields in your search results with tags. | eval
| |
tail
| Returns the last number n of specified results. | head, reverse
| |
timechart
| Create a time series chart and corresponding table of statistics. See also, Functions for stats, chart, and timechart. | chart, bucket
| |
top
| common | Displays the most common values of a field. | rare, stats
|
transaction
| transam | Groups search results into transactions. | |
transpose
| Reformats rows of search results as columns. | ||
trendline
| Computes moving averages of fields. | timechart
| |
typeahead
| Returns typeahead information on a specified prefix. | ||
typelearner
| Generates suggested eventtypes. | typer
| |
typer
| Calculates the eventtypes for the search results. | typelearner
| |
uniq
| Removes any search that is an exact duplicate with a previous result. | dedup
| |
untable
| Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.
| ||
where
| Performs arbitrary filtering on your data. See also, Functions for eval and where. | eval
| |
xmlkv
| Extracts XML key-value pairs. | extract, kvform, multikv, rex
| |
xmlunescape
| Unescapes XML. | ||
xpath
| Redefines the XML path. | ||
xyseries
| Converts results into a format suitable for graphing. |
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.
Comments
Hello, FYI there is some formatting problems in the pdf version of this document. Pages 34 - 42 are cut off.
Thank you , Charles, we are aware of this formatting issue with the PDF files--tables that contain text formatted with pre tags can get cut off on the right margin. We are working on a solution.