Splunk® Enterprise

Search Reference

Acrobat logo Download manual as PDF


Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

walklex

Description

Generates a list of terms or indexed fields from each bucket of event indexes.

Important: The walklex command does not work on hot buckets. This command only works on warm or cold buckets, after the buckets have a merged lexicon file or single time-series index (tsidx) file.

Due to the variable nature of merged_lexicon.lex and .tisidx files, walklex does not always return consistent results.

Syntax

The required syntax is in bold.

| walklex
[ type=<walklex-type> ]
[ prefix=<string> | pattern=<wc-string> ]
<index-list>
[ splunk_server=<wc-string> ]
[ splunk_server_group=<wc-string> ]...

Required arguments

<index-list>
Syntax: index=<index-name> index=<index-name> ...
Description: Limits the search to one or more indexes. For example, index=_internal.

Optional arguments

prefix | pattern
Syntax: prefix=<string> | pattern=<wc-string>
Description: Limits results to terms that match a specific pattern or prefix. Either prefix or pattern can be specified but not both. Includes only buckets with a merged_lexicon.lex file or a single tsidx file. This means that hot buckets are generally not included.
Default: pattern=*
splunk_server
Syntax: splunk_server=<wc-string>
Description: Specifies the distributed search peers from which to return results.
  • If you are using Splunk Cloud, omit this parameter.
  • If you are using Splunk Enterprise, you can specify only one splunk_server argument. However, you can use a wildcard when you specify the server name to indicate multiple servers. For example, you can specify splunk_server=peer01 or splunk_server=peer*. Use local to refer to the search head.
Default: All configured search peers return information
splunk_server_group
Syntax: splunk_server_group=<wc-string>
Description: Limits the results to one or more server groups. You can specify a wildcard character in the string to indicate multiple server groups with similar names. If you are using Splunk Cloud, omit this parameter.
Default: None
type
Syntax: type = ( all | field | fieldvalue | term )
Description: Specifies which type of terms to return in the lexicon. See Usage for more information about using the type argument options.
  • Use field to return only the unique field names in each index bucket.
  • Use fieldvalue to include only indexed field terms.
  • Use term to exclude all indexed field terms of the form "<field>::<value>".
Default: all

Usage

The walklex command is a generating command, which use a leading pipe character. The walklex command must be the first command in a search. See Command types.

When the Splunk software indexes event data, it segments each event into raw tokens using rules specified in segmenters.conf file. You might end up with raw tokens that are actually key-value pairs separated by an arbitrary delimiter such as an equal ( = ) symbol.

The following search uses the walklex and where commands to find the raw tokens in your index. The stats command is used to count the raw tokens:

| walklex index=<target-index> | where NOT like(term, "%::%") | stats sum(count) by term

Return only indexed field names

Specify the type=field argument to have walklex return only the field names from indexed fields.

The indexed fields returned by walklex can include default fields such as host, source, sourcetype, the date_* fields, punct, and so on. It can also include additional indexed fields configured as such in props.conf and transforms.conf and created with the INDEXED_EXTRACTIONS setting or other WRITE_META methods. The discovery of this last set of additional indexed fields is likely to help you with accelerating your searches.

Return the set of terms that are indexed fields with indexed values

Specify type=fieldvalue argument to have walklex return the set of terms from the index that are indexed fields with indexed values.

The type=fieldvalue argument returns the list terms from the index that are indexed fields with indexed values. Unlike the type=field argument, where the values returned are only the field names themselves, the type=fieldvalue argument returns indexed field names that have any field value.

For example, if the indexed field term is runtime::0.04, the value returned by the type=fieldvalue argument is runtime::0.04. The value returned by the type=field argument is runtime.

Return all TSIDX keywords that are not part of an indexed field structure

Specify type=term to have walklex return the keywords from the TSIDX files that are not part of any indexed field structure. In other words, it excludes all indexed field terms of the form <field>::<value>.

Return terms of all three types

When you do not specify a type, or when you specify type=all, walklex uses the default type=all argument. This causes walklex to return the terms in the index of all three types: field, fieldvalue, and term.

When you use type=all, the indexed fields are not called out as explicitly as the fields are with the type=field argument. You need to split the term field on :: to obtain the field values from the indexed term.

Restrictions

The walklex command applies only to event indexes. It cannot be used with metrics indexes.

walklex searches over indexes that have undergone tsidx bucket reduction will return incorrect results.

For more information see Reduce tsidx disk usage in Managing indexers and clusters of indexers.

People who have search filters applied to one or more of their roles cannot use walklex unless they also have a role with either the run_walklex capability or the admin_all_objects capability. For more information about role-based search filters, see Create and manage roles with Splunk Web in Securing the Splunk Platform. For more information about role-based capabilities, see Define roles on the Splunk platform with capabilities, in Securing the Splunk Platform.

Basic examples

1: Return the total count for each term in a specific bucket

The following example returns all of the terms in each bucket of the _internal index and finds the total count for each term.

| walklex index=_internal | stats sum(count) BY term

2: Specifying multiple indexes

The following example returns all of the terms that start with foo in each bucket of the _internal and _audit indexes.

| walklex prefix=foo index=_internal index=_audit


3. Use a pattern to locate indexed field terms

The following example returns all of the indexed field terms for each bucket that end with bar in the _internal index.

| walklex pattern=*bar type=fieldvalue index=_internal


4. Return all field names of indexed fields

The following example returns all of the field names of indexed fields in each bucket of the _audit index.

| walklex type=field index=_audit

See also

Commands
metadata
tstats
Last modified on 17 September, 2021
PREVIOUS
untable
  NEXT
where

This documentation applies to the following versions of Splunk® Enterprise: 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters