Search Reference


Search Reference Overview

Search Command Cheat Sheet and Splunk Enterprise Quick Reference Guide

Search Command Cheat Sheet and Splunk Enterprise Quick Reference Guide

This topic lists resources you can use as a quick reference and cheat sheet for learning the Splunk Search Language.

Download the Splunk Enterprise Quick Reference Guide

The Splunk Enterprise Quick Reference Guide (updated for version 6.1), is available only as a PDF file. It is a six-page reference card that provides fundamental search concepts, commands, functions, and examples.

Download the Search Command Cheat Sheet

The Search Command Cheat Sheet is a quick command reference complete with descriptions and examples. The Search Command Cheat Sheet is also available for download as an eight-page PDF file.

Note: In the examples on this page, a leading ellipsis (...) indicates that there is a search before the pipe operator. A leading pipe indicates that the search command is a generating command and prevents the command-line interface and Splunk Web from prepending the search command to your search.


View information in the "audit" index. index=_audit | audit
Crawl root and home directories and add all possible inputs found. Then, adds configuration information to inputs.conf. | crawl root="/;/Users/" | input add
Return information about the buckets in the _internal index. | dbinspect index=_internal
Return the values of host for events in the _internal index. | metadata type=hosts index=_internal
Return typeahead information for sources in the _internal index. | typeahead prefix=source count=10 index=_internal


Send an email notification with a pdf attachment, a message, and raw inline results. index=_internal | head 5 | sendemail subject="Here is an email from Splunk" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true



Save the running total of count in a field called total_count. ... | accum count AS total_count
Add information about the search to each event. ... | addinfo
Search for "404" events and append the fields in each event to the previous search results. ... | appendcols [search 404]
For each event where the count field exists, compute the difference between count and its previous value and store the result in countdiff. ... | delta count AS countdiff
Extract out values like "7/01", and put them into the monthday field. ... | erex monthday examples="7/01"
Define a field named velocity that is calculated as distance / time. ... | eval velocity=distance/time
Extract field/value pairs and reload field extraction settings from disk. ... | extract reload=true
Extract field/value pairs that are delimited by |;, and values of fields that are delimited by =: . ... | extract pairdelim="|;", kvdelim="=:", auto=f
Add location information (based on IP address). ... | iplocation clientip
Extract values from eventtype.form if the file exists. ... | kvform field=eventtype
There is a lookup table specified in a stanza name usertogroup in transforms.conf. This lookup table contains (at least) two fields, user and group. For each event, we look up the value of the field local_user in the table and for any entries that matches, the value of the group field in the lookup table will be written to the field user_group in the event. ... | lookup usertogroup user as local_user OUTPUT group as user_group
Extract the COMMAND field when it occurs in rows that contain splunkd. ... | multikv fields COMMAND filter splunkd
Set range to "green" if the date_second is between 1-30; "blue", if between 31-39; "red", if between 40-59; and "gray", if no range matches (for example, if date_second=0). ... | rangemap field=date_second green=1-30 blue=31-39 red=40-59 default=gray
Calculate the relevancy of the search and sort the results in descending order. disk error | relevancy | sort -relevancy
Extract from and to fields using regular expressions. If a raw event contains From: Susan To: Bob, then from=Susan and to=Bob. ... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
Extract the author field from XML or JSON formatted data about books. ... | spath output=author path=book{@author}
Add the field: comboIP. Values of comboIP = "sourceIP + "/" + destIP". ... | strcat sourceIP "/" destIP comboIP
Extract field/value pairs from XML formatted data. xmlkv automatically extracts values between XML tags. ... | xmlkv


Convert every field value to a number value except for values in the field foo. Use the none argument to specify fields to ignore. ... | convert auto(*) none(foo)
Change all memory values in the virtual field to kilobytes. ... | convert memk(virtual)
Change the sendmail syslog duration format (D+HH:MM:SS) to seconds. For example, if delay="00:10:15", the resulting value will be delay="615". ... | convert dur2sec(delay)
Convert values of the duration field into number value by removing string values in the field value. For example, if duration="212 sec", the resulting value will be duration="212". ... | convert rmunit(duration)
Separate the value of foo into multiple values. ... | makemv delim=":" allowempty=t foo
For sendmail events, combine the values of the senders field into a single value. Then, display the top 10 values. eventtype="sendmail" | nomv senders | top senders


Keep the host and ip fields, and display them in the order: host, ip. ... | fields + host, ip
Remove the host and ip fields. ... | fields - host, ip


Build a time series chart of web events by host and fill all empty fields with NULL. sourcetype="web" | timechart count by host | fillnull value=NULL
Rename the _ip field as IPAddress. ... | rename _ip as IPAddress
Change any host value that ends with localhost to localhost. ... | replace *localhost with localhost in host


Show a summary of up to five lines for each search result. ... |abstract maxlines=5
Compare the ip values of the first and third search results. ... | diff pos1=1 pos2=3 attribute=ip
Highlight the terms login and logout. ... | highlight login,logout
Output the _raw field of your current search into _xml. ... | outputtext
Anonymize the current search results. ... | scrub
Un-escape all XML characters. ... | xmlunescape


Add location information to web access events, and return a table of the IP address, City and Country for each client error. sourcetype=access_* status=404 | head 20 | iplocation clientip | table clientip, City, Country
Compute the average rating for each gender after clustering/grouping the events by their coordinate values. ... | geostats latfield=eventlat longfield=eventlong avg(rating) by gender


Add each source found by crawl in the default index with automatic source classification. | crawl | input add
Delete events from the imap index that contain the word "invalid". index=imap invalid | delete
Put download events into an index named downloadcount eventtypetag="download" | collect index=downloadcount
Find overlapping events in the summary index. index=summary | overlap

Prediction and trends

Predict future downloads based on previous download numbers. predict count
Compute moving averages for fields foo and bar. ... | trendline sma5(foo) as smoothed_foo ema10(bar)
Calculate the trend in the data, without the seasonality. index=download | timechart span=1d count(file) as count | x11 mult15(count)


Calculate the sums of the numeric fields of each result, and put the sums in the field "sum". ... | addtotals fieldname=sum
Analyze the numerical fields to predict the value of is_activated. ... | af classfield=is_activated
Return events with uncommon values. ... | anomalousvalue action=filter pthresh=0.02
Return results associated with each other (that have at least 3 references to each other). ... | associate supcnt=3
For each event, copy the 2nd, 3rd, 4th, and 5th previous values of the count field into the respective fields count_p2, count_p3, count_p4, and count_p5. ... | autoregress count p=2-5
Bucket search results into 10 bins, and return the count of raw events for each bucket. ... | bucket size bins=10 | stats count(_raw) by size
Return the average thruput of each host for each five minute time span. ... | bucket _time span=5m | stats avg(thruput) by _time host
Return the average (mean) size for each distinct host. ... | chart avg(size) by host
Return the maximum delay by size, where size is broken down into a maximum of 10 equal sized buckets. ... | chart max(delay) by size bins=10
Return the ratio of the average (mean) size to the maximum delay for each distinct host and user pair. ... | chart eval(avg(size)/max(delay)) by host user
Calculate the max(delay) for each value of foo split by the value of bar. ... | chart max(delay) over foo by bar
Build a contingency table of datafields from all events. ... | contingency datafield1 datafield2 maxrows=5 maxcols=5 usetotal=F
Calculate the co-occurrence correlation between all fields. ... | correlate type=cocur
Return the number of events in the _internal index. | eventcount index=_internal
Compute the overall average duration and add avgdur as a new field to each event where the duration field exists ... | eventstats avg(duration) as avgdur
Make _time continuous with a span of 10 minutes. ... | makecontinuous _time span=10m
Remove all outlying numerical values. ... | outlier
Return the least common values of the url field. ... | rare url
Remove duplicates of results with the same host value and return the total count of the remaining results. ... | stats dc(host)
Return the average for each hour, of any unique field that ends with the string lay (for example, delay, xdelay, relay, etc). ... | stats avg(*lay) BY date_hour
Search the access logs, and return the number of hits from the top 100 values of "referer_domain". sourcetype=access_combined | top limit=100 referer_domain | stats sum(count)
For each event, add a count field that represent the number of event seen so far (including that event). i.e., 1 for the first event, 2 for the second, 3, 4 ... and so on ... | streamstats count
Graph the average thruput of hosts over time. ... | timechart span=5m avg(thruput) by host
Create a timechart of average cpu_seconds by host, and remove outlying values that may distort the timechart's axis. ... | timechart avg(cpu_seconds) by host | outlier action=t
Calculate the average value of CPU each minute for each host. ... | timechart span=1m avg(CPU) by host
Create a timechart of the count of from web sources by host. ... | timechart count by host
Compute the product of the average CPU and average MEM each minute for each host. ... | timechart span=1m eval(avg(CPU) * avg(MEM)) by host
Return the 20 most common values of the url field. ... | top limit=20 url
Reformat the search results and display only specified fields. ... | timechart avg(delay) by host | untable _time host avg_delay
Reformat the search results into a format suitable for charting. ... | xyseries delay host_type host



Count the number of different IP addresses who accessed the Web server and also find the user who accessed the web server the most for each type of page request (method). sourcetype=access_* | stats dc(clientip), count by method | append [search sourcetype=access_* | top 1 clientip by method]
Joins previous result set with results from the subsearch, on the id field. ... | join id [search foo]


Return only anomalous events. ... | anomalies
Remove duplicates of results with the same host value. ... | dedup host
Combine the values of foo with a colon delimiter. ... | mvcombine delim=":" foo
Keep only search results whose raw text contains IP addresses in the non-routable class A ( ... | regex _raw="(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"
Join results with itself on id field. ... | selfjoin id
For the current search, keep only unique results. ... | uniq
Return physicsobjs events with a speed greater than 100. sourcetype=physicsobjs | where distance/time > 100


All daily time ranges from Oct 25 till today. | gentimes start=10/25/07
Loads the events that were generated by the search job with id=1233886270.2. | loadjob 1233886270.2 events=t
Create new events for each value of multivalue field, foo. ... | mvexpand foo
Run the saved search named mysecurityquery. | savedsearch mysecurityquery


Cluster events together and sort them by their cluster_count values. Then return the 20 largest clusters (in data size). ... | cluster t=0.9 showcount=true | sort - cluster_count | head 20
Group search results into 4 clusters based on the values of the date_hour and date_minute fields. ... | kmeans k=4 date_hour date_minute
Group search results that have the same host and cookie, occur within 30 seconds of each other, and do not have a pause greater than 5 seconds between each event into a transaction. ... | transaction host cookie maxspan=30s maxpause=5s
Force Splunk to apply event types that you have configured. Splunk Web automatically does this when you view the eventtype field. ... | typer


Return the first 20 results. ... | head 20
Reverse the order of a result set. ... | reverse
Sort results by ip value in ascending order and then by url value in descending order. ... | sort ip, -url
Return the last 20 results (in reverse order). ... | tail 20


Read in results from the CSV file: $SPLUNK_HOME/var/run/splunk/all.csv. Keep any that contain the string "error". Then, save the results to the file: $SPLUNK_HOME/var/run/splunk/error.csv . | inputcsv all.csv | search error | outputcsv errors.csv
Read in users.csv lookup file, which is located in $SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/*/lookups . | inputlookup users.csv


Output search results to the CSV file, mysearch.csv . ... | outputcsv mysearch
Write to users.csv lookup file, which is located in $SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/*/lookups . | outputlookup users.csv


Keep only search results that have the specified src or dst values. src="10.9.165.*" OR dst=""


Run the Python script myscript with arguments: myarg1 and myarg2. Then, email the results. ... | script python myscript myarg1 myarg2 | sendemail


Get the top two results and create a search from their host, source, and sourcetype that returns a single search result with a _query field: _query=( ( "host::mylaptop" AND "source::syslog.log" AND "sourcetype::syslog" ) OR ( "host::bobslaptop" AND "source::bob-syslog.log" AND "sourcetype::syslog" ) ) ... | head 2 | fields source, sourcetype, host | format
Search the time range of each previous result for "failure". ... | localize maxpause=5m | map search="search failure starttimeu=$starttime$ endtimeu=$endtime$"
Return values of url that contain the string "404" or "303" but not both. | set diff [search 404 | fields url] [search 303 | fields url]


Run commands on the local search head only. In this case, all events returned by the initial search for "FOO and BAR" forwards from remote peers to the local search head where the iplocation command runs. FOO BAR | localop | iplocation allfields=t clientip


Returns all events that occurred hourly from Oct 1 till Oct 5. ... | gentimes start=10/1/14 end=10/5/14 increment=1h
Search the time range of each previous result for "failure". ... | localize maxpause=5m | map search="search failure starttimeu=$starttime$ endtimeu=$endtime$"
Add a field called reltime that describes the time the event occurred, such as "5 seconds ago" and "1 minute ago". status=503 | reltime

Learn more on Splunk Answers

If you can't find what you're looking for here, check out Splunk Answers and see what questions and answers other Splunk users had about the search language.

This documentation applies to the following versions of Splunk: 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 , 6.1.5 , 6.1.6 , 6.1.7 , 6.1.8 , 6.2.0 , 6.2.1 , 6.2.2 , 6.2.3 View the Article History for its revisions.


Where above it says...

Extract field/value pairs that are delimited by |;, and values of fields that are delimited by =:

I would recommend you change it to...

Extract field/value pairs that are delimited by | or ;, and values of fields that are delimited by = OR :

Which is how it behaves. This caused a fair amount of confusion because we were trying to handle situations with multi-character delimiters. Eventually found another way using transforms to handle that use case.

March 31, 2015

You must be logged into in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!