Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Popular search commands

The following table lists the more frequently used Splunk search commands. Some of these commands share functions -- you can see a list of these functions with descriptions and examples on the following pages: Functions for eval and where and Functions for stats, chart, and timechart.

Command Alias(es) Description See also
bucket bin, discretize Puts continuous numerical values into discrete sets. chart, timechart
chart Returns results in a tabular output for charting. See also, Functions for stats, chart, and timechart. bucket, sichart, timechart
dedup Removes subsequent results that match a specified criteria. uniq
eval Calculates an expression and puts the value into a field. See also, Functions for eval and where. where
extract kv Extracts field-value pairs from search results. kvform, multikv, xmlkv, rex
fields Removes fields from search results.
head Returns the first number n of specified results. reverse, tail
lookup Explicitly invokes field value lookups.
multikv Extracts field-values from table-formatted events.
rangemap Sets RANGE field to the name of the ranges that match.
rare Displays the least common values of a field. sirare, stats, top
rename Renames a specified field; wildcards can be used to specify multiple fields.
replace Replaces values of specified fields with a specified new value.
rex Specify a Perl regular expression named groups to extract fields while you search. extract, kvform, multikv, xmlkv, regex
search Searches Splunk indexes for matching events.
spath Extracts key-value pairs from XML or JSON formats. extract, kvform, multikv, rex, xmlkv
sort Sorts search results by the specified fields. reverse
stats Provides statistics, grouped optionally by fields. See also, Functions for stats, chart, and timechart. eventstats, top, rare
tail Returns the last number n of specified results. head, reverse
timechart Create a time series chart and corresponding table of statistics. See also, Functions for stats, chart, and timechart. chart, bucket
top common Displays the most common values of a field. rare, stats
transaction transam Groups search results into transactions.
where Performs arbitrary filtering on your data. See also, Functions for eval and where. eval
xmlkv Extracts XML key-value pairs. extract, kvform, multikv, rex, spath

Answers

Have questions about search commands? Check out Splunk Answers to see what questions and answers other Splunk users had about the search language.

 

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.3.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters