Splunk® Enterprise

Search Reference

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

walklex

Description

Generates a list of terms or indexed fields from each bucket of event indexes.

Webinar Icon.png Watch this Splunk How-To video, Using the Walklex Command, to see a demonstration about how to use this command.

Due to the variable nature of merged_lexicon.lex and .tsidx files, the walklex command does not always return consistent results.

The walklex command doesn't work on hot buckets. This command only works on warm or cold buckets, after the buckets have a merged lexicon file or single time-series index (tsidx) file. If neither of these files exist, a message is returned, as expected. This message doesn't indicate that there is a problem with the health of your environment.

Syntax

The required syntax is in bold.

| walklex
[ type=<walklex-type> ]
[ prefix=<string> | pattern=<wc-string> ]
<index-list>
[ splunk_server=<wc-string> ]
[ splunk_server_group=<wc-string> ]...

Required arguments

<index-list>
Syntax: index=<index-name> index=<index-name> ...
Description: Limits the search to one or more indexes. For example, index=_internal.

Optional arguments

prefix | pattern
Syntax: prefix=<string> | pattern=<wc-string>
Description: Limits results to terms that match a specific pattern or prefix. Either prefix or pattern can be specified but not both. Includes only buckets with a merged_lexicon file or a single tsidx file. This means that hot buckets are generally not included.
Default: pattern=*
splunk_server
Syntax: splunk_server=<wc-string>
Description: Specifies the distributed search peers from which to return results.
  • If you are using Splunk Cloud Platform, omit this parameter.
  • If you are using Splunk Enterprise, you can specify only one splunk_server argument. However, you can use a wildcard when you specify the server name to indicate multiple servers. For example, you can specify splunk_server=peer01 or splunk_server=peer*. Use local to refer to the search head.
Default: All configured search peers return information
splunk_server_group
Syntax: splunk_server_group=<wc-string>
Description: Limits the results to one or more server groups. You can specify a wildcard character in the string to indicate multiple server groups with similar names.
  • If you are using Splunk Cloud Platform, omit this parameter.
Default: None
type
Syntax: type = ( all | field | fieldvalue | term )
Description: Specifies which type of terms to return in the lexicon. See Usage for more information about using the type argument options.
  • Use field to return only the unique field names in each index bucket.
  • Use fieldvalue to include only indexed field terms.
  • Use term to exclude all indexed field terms of the form <field>::<value>.
Default: all

Usage

The walklex command is a generating command, which use a leading pipe character. The walklex command must be the first command in a search. See Command types.

When the Splunk software indexes event data, it segments each event into raw tokens using rules specified in segmenters.conf file. You might end up with raw tokens that are actually key-value pairs separated by an arbitrary delimiter such as an equal ( = ) symbol.

The following search uses the walklex and where commands to find the raw tokens in your index. It uses the stats command to count the raw tokens.

| walklex index=<target-index> | where NOT like(term, "%::%") | stats sum(count) by term

Return only indexed field names

Specify the type=field argument to have walklex return only the field names from indexed fields.

The indexed fields returned by walklex can include default fields such as host, source, sourcetype, the date_* fields, punct, and so on. It can also include additional indexed fields configured as such in props.conf and transforms.conf and created with the INDEXED_EXTRACTIONS setting or other WRITE_META methods. The discovery of this last set of additional indexed fields is likely to help you with accelerating your searches.

Return the set of terms that are indexed fields with indexed values

Specify type=fieldvalue argument to have walklex return the set of terms from the index that are indexed fields with indexed values.

The type=fieldvalue argument returns the list terms from the index that are indexed fields with indexed values. Unlike the type=field argument, where the values returned are only the field names themselves, the type=fieldvalue argument returns indexed field names that have any field value.

For example, if the indexed field term is runtime::0.04, the value returned by the type=fieldvalue argument is runtime::0.04. The value returned by the type=field argument is runtime.

Return all TSIDX keywords that are not part of an indexed field structure

Specify type=term to have walklex return the keywords from the TSIDX files that are not part of any indexed field structure. In other words, it excludes all indexed field terms of the form <field>::<value>.

Return terms of all three types

When you do not specify a type, or when you specify type=all, walklex uses the default type=all argument. This causes walklex to return the terms in the index of all three types: field, fieldvalue, and term.

When you use type=all, the indexed fields are not called out as explicitly as the fields are with the type=field argument. You need to split the term field on :: to obtain the field values from the indexed term.

Support for hot buckets

Because the walklex command doesn't work on hot buckets, recently loaded data displays in search results only after buckets have rolled over from hot to warm. You can either wait for buckets of an index to roll over from hot to warm on their own, or you can restart Splunk platform or manually roll the buckets over to warm. See Rolling buckets manually from hot to warm.

Restrictions

The walklex command applies only to event indexes. It cannot be used with metrics indexes.

People who have search filters applied to one or more of their roles cannot use walklex unless they also have a role with either the run_walklex capability or the admin_all_objects capability. For more information about role-based search filters, see Create and manage roles with Splunk Web in Securing the Splunk Platform. For more information about role-based capabilities, see Define roles on the Splunk platform with capabilities, in Securing the Splunk Platform.

Basic examples

1. Return the total count for each term in a specific bucket

The following example returns all of the terms in each bucket of the _internal index and finds the total count for each term.

| walklex index=_internal | stats sum(count) BY term

2. Specifying multiple indexes

The following example returns all of the terms that start with foo in each bucket of the _internal and _audit indexes.

| walklex prefix=foo index=_internal index=_audit

3. Use a pattern to locate indexed field terms

The following example returns all of the indexed field terms for each bucket that end with bar in the _internal index.

| walklex pattern=*bar type=fieldvalue index=_internal

4. Return all field names of indexed fields

The following example returns all of the field names of indexed fields in each bucket of the _audit index.

| walklex type=field index=_audit

See also

Commands
metadata
tstats
Last modified on 07 February, 2024
untable   where

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters