Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

walklex

Description

Generates a list of terms or indexed fields from each bucket of event indexes.

Important: The walklex command does not work on hot buckets. This command only works on warm or cold buckets, after the buckets have a merged lexicon file or single time-series index (tsidx) file.

Due to the variable nature of merged_lexicon.lex and .tsidx files, walklex does not always return consistent results.

Syntax

The required syntax is in bold.

| walklex
[ type=<walklex-type> ]
[ prefix=<string> | pattern=<wc-string> ]
<index-list>
[ splunk_server=<wc-string> ]
[ splunk_server_group=<wc-string> ]...

Required arguments

<index-list>
Syntax: index=<index-name> index=<index-name> ...
Description: Limits the search to one or more indexes. For example, index=_internal.

Optional arguments

prefix | pattern
Syntax: prefix=<string> | pattern=<wc-string>
Description: Limits results to terms that match a specific pattern or prefix. Either prefix or pattern can be specified but not both. Includes only buckets with a merged_lexicon.lex file or a single tsidx file. This means that hot buckets are generally not included.
Default: pattern=*
splunk_server
Syntax: splunk_server=<wc-string>
Description: Specifies the distributed search peers from which to return results.
  • If you are using Splunk Cloud, omit this parameter.
  • If you are using Splunk Enterprise, you can specify only one splunk_server argument. However, you can use a wildcard when you specify the server name to indicate multiple servers. For example, you can specify splunk_server=peer01 or splunk_server=peer*. Use local to refer to the search head.
Default: All configured search peers return information


splunk_server_group
Syntax: splunk_server_group=<wc-string>
Description: Limits the results to one or more server groups. You can specify a wildcard character in the string to indicate multiple server groups with similar names. If you are using Splunk Cloud, omit this parameter.
Default: None
type
Syntax: type = ( all | field | fieldvalue | term )
Description: Specifies which type of terms to return in the lexicon. See Usage for more information about using the type argument options.
  • Use field to return only the unique field names in each index bucket.
  • Use fieldvalue to include only indexed field terms.
  • Use term to exclude all indexed field terms of the form "<field>::<value>".
Default: all

Usage

The walklex command is a generating command, which use a leading pipe character. The walklex command must be the first command in a search. See Command types.

The walklex command applies only to event indexes. It cannot be used with metrics indexes.

When the Splunk software indexes event data, it segments each event into raw tokens using rules specified in segmenters.conf file. You might end up with raw tokens that are actually key-value pairs separated by an arbitrary delimiter such as an equal ( = ) symbol.

The following search uses the walklex and where commands to find the raw tokens in your index. The stats command is used to count the raw tokens:

| walklex index=<target-index> | where NOT like(term, "%::%") | stats sum(count) by term

Using type=field

When the type=field argument is specified, the results returned will include only the field names from indexed fields. With the default settings, the Splunk software indexes the values for host, source, and sourcetype. In addition, the settings in the props.conf file can permit the creation of the date_* fields, the punct field, etc. Any additional fields, whether created by INDEXED_EXTRACTIONS or other "WRITE_META" methods, would also be returned. It is the discovery of this list of additional fields which is most likely to benefit you in accelerating your searches.

Using type=fieldvalue

The type=fieldvalue argument returns the list of terms from the index which are part of indexed fields and have indexed values. Unlike the type=field argument, where the values returned are only the field names themselves, the type=fieldvalue argumentt returns terms that have any field value for an indexed term.

For example, if the indexed field term is runtime::0.04, the value returned with the type=fieldvalue is runtime::0.04. The value returned by the type=field argument would be runtime.

Using type=term

When type-term is specified, the keywords from the TSIDX files which are not part of any indexed field structure are returned.

Using type=all

When no type is specified, the default type=all is used. The terms in the index of all three types field, fieldvalue, and term are returned.

When type=all is used, the indexed fields are not called out explicitly as the fields are with the type=field argument. You will need to split the term field on :: to obtain the field values from the indexed term.

Walklex and tsidx bucket reduction

The walklex command searches over indexes that have undergone tsidx bucket reduction will return incorrect results.

For more information see Reduce tsidx disk usage in Managing indexers and clusters of indexers.

Basic examples

1. Return the total count for each term in a specific bucket

The following example returns all of the terms in each bucket of the _internal index and finds the total count for each term.

| walklex index=_internal | stats sum(count) BY term

2. Specifying multiple indexes

The following example returns all of the terms that start with foo in each bucket of the _internal and _audit indexes.

| walklex prefix=foo index=_internal index=_audit


3. Use a pattern to locate indexed field terms

The following example returns all of the indexed field terms for each bucket that end with bar in the _internal index.

| walklex pattern=*bar type=fieldvalue index=_internal


4. Return all field names of indexed fields

The following example returns all of the field names of indexed fields in each bucket of the _audit index.

| walklex type=field index=_audit

See also

Commands
metadata
tstats
Last modified on 17 September, 2021
untable   where

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters