Administrative CLI commands
This topic discusses the administrative CLI commands, which are the commands used to manage or configure your Splunk server and distributed deployment.
For information about accessing the CLI and what is covered in the CLI help, see the previous topic, Get help with the CLI. If you're looking for details about how to run searches from the CLI, see About CLI searches in the Search Reference.
Your Splunk role configuration dictates what actions (commands) you can execute. Most actions require you to have Splunk admin privileges. Read more about setting up and managing Splunk users and roles in the About users and roles topic in the Admin Manual.
Splunk CLI command syntax
The general syntax for a CLI command is this:
./splunk <command> [<object>] [[-<parameter>] <value>]...
Note the following:
- Some commands don't require an object or parameters.
- Some commands have a default parameter that can be specified by its value alone.
- Some commands can take extra parameters like
-auth. See the "Universal parameters" section of Get help with the CLI.
Commands, objects, and examples
A command is an action that you can perform. An object is something you perform an action on.
Most administrative CLI commands are offered as an alternative interface to the Splunk Enterprise REST API without the need for the
curl command. If you're looking for additional uses or options for a CLI command object, review the REST API Reference Manual and search for the object name.
|add||exec, forward-server, index, licenser-pools, licenses, master, monitor, oneshot, saved-search, search-server, tcp, udp, user||1. Adds monitor directory and file inputs to source |
|2. Adds another indexer cluster manager node to the list of instances the search head searches across.
|anonymize||source||1. Replaces identifying data, such as usernames and IP addresses, in the file located at |
|2. Anonymizes |
|apply||cluster-bundle, shcluster-bundle||1. Makes validated bundle active on peers.|
|2. Skip-validation is an optional argument to skip bundle validation on the indexer cluster manager and peers.|
|3. For |
|check-integrity||NONE||1. Verifies the integrity of an index with the optional parameter |
|2. Verifies the integrity of a bucket with the optional parameter |
|clean||all, eventdata, globaldata, inputdata, userdata, kvstore||1. Removes data from Splunk installation. |
|cluster-manager-redundancy||NONE||1. Shows status of all the cluster managers in redundancy mode.
|2. Switches HA mode of a cluster manager from standby to active.
|3. Switches HA mode of a cluster manager from active to standby. Consequently, another, currently standby cluster manager gets switched to active automatically.
|cmd||btprobe, classify, locktest, locktool, pcregextest, searchtest, signtool, toCsv, toSrs, tsidxprobe, walklex||1. Displays the contents in the |
|2. Runs the chosen command from the |
|create||app||1. Builds myNewApp from a template.
|disable||app, boot-start, deploy-client, deploy-server, dist-search, index, listen, local-index, maintenance-mode, perfmon, webserver, web-ssl, wmi||1. Disables the maintenance mode on peers in indexer clustering. Must be invoked on the manager node.
|2. Disables the logs1 collection.
|display||app, boot-start, deploy-client, deploy-server, dist-search, jobs, listen, local-index||1. Displays status information, such as enabled/disabled, for all apps.
|2. Displays status information for the unix app.
|edit||app, cluster-config, shcluster-config, exec, index, licenser-localpeer, licenser-groups, monitor, saved-search, search-server, tcp, udp, user||1. Edits the current clustering configuration.
|2. Edits monitored directory inputs in |
|enable||app, boot-start, deploy-client, deploy-server, dist-search, index, listen, local-index, maintenance-mode, perfmon, webserver, web-ssl, wmi||1. Sets the maintenance mode on peers in indexer clustering. Must be invoked on the manager node.
|2. Enables the |
|export||eventdata, user data||1. Exports data out of your Splunk server into |
|fsck||repair, scan, clear-bloomfilter|
|import||userdata||1. Imports user accounts data from directory |
|install||app||1. Installs the app from foo.tar to the local Splunk server.
|2. Installs the app from foo.tgz to the local Splunk server.
|list||cluster-buckets, cluster-config, cluster-generation, cluster-peers, deploy-clients, excess-buckets, exec, forward-server, index, inputstatus, licenser-groups, licenser-localpeer, licenser-messages, licenser-pools, licenser-peers, licenser-stacks, licenses, jobs, master-info, monitor, peer-info, peer-buckets, perfmon, saved-search, search-server, tcp, udp, user, wmi||1. Lists all active monitored directory and file inputs. This displays files and directories currently or recently monitored by splunkd for change.
|2. Lists all licenses across all stacks.
|migrate||kvstore-storage-engine||1. Migrates the KV store to the target storage engine.
|offline||NONE||1. Used to shutdown the peer in a way that does not affect existing searches. The manager node rearranges the primary peers for buckets, and fixes up the cluster state in case the enforce-counts flag is set.
|2. Because the |
|package||app||1. Packages the app "stubby" and returns the package location.
|2. When packaging the app, merges local.meta to default.meta and packages the resulting default.meta.
|3. When packaging the app, excludes the local.meta from the app package.
|rebalance||cluster-data||1. Rebalances data for all indexes.
|2. Rebalances data for a single index using the optional |
|3. Rebalances data using the optional |
|reload||ad, auth, deploy-server, exec, index, listen, monitor, registry, tcp, udp, perfmon, wmi||1. Reloads your deployment server, in entirety or by server class.
|2. Reloads my_serverclass.
|3. Reloads a specific index configuration. To reload all indexes, do not include an index name.
|remove||app, cluster-peers, cluster-manager, excess-buckets, exec, forward-server, index, jobs, licenser-pools, licenses, monitor, saved-search, search-server, tcp, udp, user||1. Removes the cluster manager node from the list of instances the search head searches across. Uses testsecret as the secret/pass4SymmKey.
|2. Removes the Unix app.
|rollback||cluster-bundle||Rolls back your Splunk Web configuration bundle to your previous version. From the manager node, run this command:
|rtsearch||app, batch, detach, earliest_time, header, id, index_earliest, index_latest, max_time, maxout, output, preview, rt_id, timeout, uri, wrap||1. Runs a real-time search that does not line-wrap for individual lines.
|2. Runs a real-time search. Use |
|search||app, batch, detach, earliest_time, header, id, index_earliest, index_latest, latest_time, max_time, maxout, output, preview, timeout, uri, wrap||1. Uses the wildcard as the search object. Triggers an asynchronous search and displays the job id and ttl for the search.
|2. Uses |
|set||datastore-dir, deploy-poll, default-hostname, default-index, indexing-ready, minfreemb, servername, server-type, splunkd-port, web-port, kvstore-port||1. Sets the force indexing ready bit.
|2. Sets |
|show||config, cluster-bundle-status, datastore-dir, deploy-poll, default-hostname, default-index, jobs, minfreemb, servername, splunkd-port, web-port, kvstore-port, kvstore-status, shcluster-kvmigration-status||1. Shows current logging levels.
|2. Shows which deployment server Splunk Enterprise is configured to poll from.
|start-shcluster-migration||kvstore||1. Migrate the KV store to the target storage engine in a clustered environment.
|2. Check to see if the KV store is ready to migrate to the target storage engine.
|validate||index, files, cluster-bundle||1. Validates the main index and verifies the index paths specified in |
|2. For |
|3. For |
Exporting search results with the CLI
You can use the CLI to export large numbers of search results. For information about how to export search results with the CLI, as well as information about the other export methods offered by Splunk Enterprise, see Export search results in the Search Manual.
Troubleshooting with the CLI
The Splunk CLI also includes tools that help with troubleshooting. Invoke these tools using the CLI command
./splunk cmd <tool>
For the list of CLI utilities, see Command line tools for use with Support in the Troubleshooting Manual.
Get help with the CLI
Use the CLI to administer a remote Splunk Enterprise instance
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1