Splunk® Enterprise

Admin Manual

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Get help with the CLI

This topic discusses how to access Splunk's built-in CLI help reference, which contains information about the CLI commands and how to use them. This topic also briefly discusses the universal parameters, which are parameters that you can use with any CLI command.

Access CLI help reference

If you need to find a CLI command or syntax for a CLI command, use Splunk's built-in CLI help reference.

To start, you can access the default help information with the help command:

./splunk help

This will return a list of objects to help you access more specific CLI help topics, such as administrative commands, clustering, forwarding, licensing, searching, etc.

Universal parameters

Some commands require that you authenticate with a username and password, or specify a target host or app. For these commands you can include one of the universal parameters: auth, app, or uri.

./splunk [command] [object] [-parameter <value> | <value>]... [-app] [-owner] [-uri] [-auth]
Parameter Description
app Specify the App or namespace to run the command; for search, defaults to the Search App.
auth Specify login credentials to execute commands that require you to be logged in.
owner Specify the owner/user context associated with an object; if not specified, defaults to the currently logged in user.
uri Excute a command on any specified (remote) Splunk server.

app

In the CLI, app is an object for many commands, such as create app or enable app. But, it is also a parameter that you can add to a CLI command if you want to run that command on a specific app.

Syntax:

./splunk command object [-parameter value]... -app appname 

For example, when you run a search in the CLI, it defaults to the Search app. If want to run the search in another app:

./splunk search "eventype=error | stats count by source" -detach f -preview t -app unix

auth

If a CLI command requires authentication, Splunk will prompt you to supply the username and password. You can also use the -auth flag to pass this information inline with the command. The auth parameter is also useful if you need to run a command that requires different permissions to execute than the currently logged-in user has.

Syntax:

./splunk command object [-parameter value]... -auth username:password 

uri

If you want to run a command on a remote Splunk server, use the -uri flag to specify the target host.

Syntax:

./splunk command object [-parameter value]... -uri specified-server

Specify the target Splunk server with the following format:

[http|https]://name_of_server:management_port

You can specify an IP address for the name_of_server. Both IPv4 and IPv6 formats are supported; for example, the specified-server may read as: 127.0.0.1:80 or "[2001:db8::1]:80". By default, splunkd listens on IPv4 only. To enable IPv6 support, see Configure Splunk Enterprise for IPv6.


Example: The following example returns search results from the remote "splunkserver" on port 8089.

./splunk search "host=fflanda error 404 *.gif" -auth admin -uri https://splunkserver:8089

For more information about the CLI commands you can run on a remote server, see the next topic in this chapter.

Useful help topics

When you run the default Splunk CLI help, you will see these objects listed.

Administrative CLI commands

You can use the CLI for administrative functions such as adding or editing inputs, updating configuration settings, and searching. If you want to see the list of administrative CLI commands type in:

./splunk help commands

These commands are discussed in more detail in "Administrative CLI commands", the next topic in this manual.

CLI help for indexer clustering

Indexer clustering is a Splunk feature that consists of clusters of indexers configured to replicate data to achieve several goals: data availability, data fidelity, disaster tolerance, and improved search performance.

You can use the CLI to view and edit clustering configurations on the indexer cluster nodes. For the list of commands and parameters related to clustering, type in:

./splunk help clustering

For more information, read "Configure the cluster with the CLI" in the Managing Indexers and Clusters manual.

CLI help for Splunk controls

Use the CLI to start, stop, and restart Splunk server (splunkd) and web (splunkweb) processes or check to see if the process is running. For the list of controls, type in:

./splunk help controls

For more information, read "Start and stop Splunk" in the Admin Manual.

CLI help for data management

When you add data to Splunk, Splunk processes it and stores it in an index. By default, data you feed to Splunk is stored in the main index, but you can use the CLI to create and specify other indexes for Splunk to use for different data inputs. To see the list of objects and commands to manage indexes and datastores, type in:

./splunk help datastore
./splunk help index

For more information, read "About managing indexes", "Create custom indexes", and "Remove indexes and data from Splunk" in the Managing Indexers and Clusters manual.

CLI help for distributed search deployments

Use the CLI to view and manage your distributed search configurations. For the list of objects and commands, type in:

./splunk help distributed

For information about distributed search, read "About distributed search" in the Distributed Search manual.

CLI help for forwarding and receiving

Splunk deployments can include dozens or hundreds of forwarders forwarding data to one or more receivers. Use the CLI to view and manage your data forwarding configuration. For the list of forwarding objects and commands, type in:

./splunk help forwarding

For more information, read "About forwarding and receiving" in the Forwarding Data manual.

CLI help for search and real-time search

You can also use the CLI to run both historical and real-time searches. Access the help page about Splunk search and real-time search with:

./splunk help search
./splunk help rtsearch

Also, use objects search-commands, search-fields, and search-modifiers to access the respective help descriptions and syntax:

./splunk help search-commands
./splunk help search-fields
./splunk help search-modifiers

Note: The Splunk CLI interprets spaces as breaks. Use dashes between multiple words for topic names that are more than one word.

To learn more about searching your data with the CLI, refer to "About CLI searches" and "Syntax for CLI searches" in the Search Reference Manual and "Real-time searches and reports in the CLI" in the Search Manual.

Last modified on 14 October, 2020
About the CLI   Administrative CLI commands

This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters