Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

CLI search syntax

This is a quick discussion of the syntax and options available for using the search and rtsearch commands in the CLI.

CLI help for search

You can access the CLI help information for search and rtsearch by typing:

./splunk help search|rtsearch

You can also view information about the search language that the CLI supports by typing:

./splunk help search-commands|search-fields|search-modifiers

Note: By default, results from CLI searches are limited to 100 events. If you want to increase this limit, see the maxout flag below.

Syntax for CLI searches

The syntax for CLI searches is similar to the syntax for searches you run from Splunk Web except that you can pass parameters outside of the search object to control the time limit of the search, tell Splunk which server to run the search, and specify how Splunk displays results.

search | rtsearch [object][-parameter <value>]

Search objects

Search objects are enclosed in single quotes (' ') and can be keywords, expressions, or a series of search commands. On Windows OS use double quotes (" ") to enclose your search object.

Search objects can include not only keywords and search commands but also fields and modifiers to specify the events you want to retrieve and the results you want to generate.

Search parameters

Search parameters are options that control the way the search is run or the way the search results are displayed. All of these parameters are optional. Parameters that take Boolean values support {0, false, f, no} as negatives and {1, true, t, yes} positives.

Parameter Value(s) Default(s) Description
app <app_name> search Specify the name of the app in which to run your search.
batch <bool> F Indicates how to handle updates in preview mode.
detach <bool> F Triggers an asynchronous search and displays the job ID and TTL for the search.
header <bool> T Indicates whether to display a header in the table output mode.
max_time <number> 0 The length of time in seconds that a search job runs before it is finalized. A value of 0 means that there is no time limit.
maxout <number> search, 100

rtsearch, 0

The maximum number of events to return or send to stdout (when exporting events). The maximum allowable value is 10000. A value of 0 means that it will output an unlimited number of events.
output rawdata, table, csv, auto For non-transforming searches, rawdata.

For transforming searches, table.

Indicates how to display the job.
preview <bool> T Indicates that reporting searches should be previewed (displayed as results are calculated).
timeout <number> 0 The length of time in seconds that a search job is allowed to live after running. A value of 0 means that the job is canceled immediately after it is run.
uri [http|https]://name_of_server:management_port Specify the server name and management port. name_of_server can be the fully-resolved domain name or the IP address of the Splunk server.

The default uri value is the mgmtHostPort value that you defined in the Splunk server's web.conf.

For more information, see Access and use the CLI on a remote Splunk Server in the Admin manual.

wrap <bool> T Indicates whether to line wrap for individual lines that are longer than the terminal width.

Examples

You can see more examples in the CLI help information.

Example 1: Retrieve events from yesterday that match root sessions.

./splunk search "session root daysago=1"


Example 2: Retrieve events that match web access errors and detach the search.

./splunk search 'eventtype=webaccess error' -detach true

PREVIOUS
About CLI searches
 

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters