Splunk® Enterprise

Admin Manual

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Administrative CLI commands

This topic discusses the administrative CLI commands, which are the commands used to manage or configure your Splunk server and distributed deployment.

For information about accessing the CLI and what is covered in the CLI help, see the previous topic, Get help with the CLI. If you're looking for details about how to run searches from the CLI, see About CLI searches in the Search Reference.

Your Splunk role configuration dictates what actions (commands) you can execute. Most actions require you to have Splunk admin privileges. Read more about setting up and managing Splunk users and roles in the About users and roles topic in the Admin Manual.

Splunk CLI command syntax

The general syntax for a CLI command is this: 

./splunk <command> [<object>] [[-<parameter>] <value>]...

Note the following:

  • Some commands don't require an object or parameters.
  • Some commands have a default parameter that can be specified by its value alone.
  • Some commands can take extra parameters like -uri or -auth. See the "Universal parameters" section of Get help with the CLI.

Commands, objects, and examples

A command is an action that you can perform. An object is something you perform an action on.

Most administrative CLI commands are offered as an alternative interface to the Splunk Enterprise REST API without the need for the curl command. If you're looking for additional uses or options for a CLI command object, review the REST API Reference Manual and search for the object name.

Command Objects Examples
add exec, forward-server, index, licenser-pools, licenses, manager, monitor, oneshot, saved-search, search-server, tcp, udp, user 1. Adds monitor directory and file inputs to source /var/log.

./splunk add monitor /var/log/

2. Adds another indexer cluster manager node to the list of instances the search head searches across.

./splunk add cluster-manager https://127.0.0.1:8089 -secret testsecret -multisite false

anonymize source 1. Replaces identifying data, such as usernames and IP addresses, in the file located at /tmp/messages.

./splunk anonymize file -source /tmp/messages

2. Anonymizes Mynames.txt using name-terms, a file containing a list of common English personal names.

./splunk anonymize file -source /tmp/messages -name_terms $SPLUNK_HOME/bin/Mynames.txt

apply cluster-bundle, shcluster-bundle 1. Makes validated bundle active on peers.

./splunk apply cluster-bundle

2. Skip-validation is an optional argument to skip bundle validation on the indexer cluster manager and peers.

./splunk apply cluster-bundle --skip-validation

3. For shcluster-bundle examples, see Deploy a configuration bundle in the Distributed Search manual.
check-integrity NONE 1. Verifies the integrity of an index with the optional parameter verbose.

./splunk check-integrity -index $SPLUNK_HOME/var/lib/splunk/defaultdb/ [-<verbose> ]

2. Verifies the integrity of a bucket with the optional parameter verbose.

./splunk check-integrity -bucketPath $SPLUNK_HOME/var/lib/splunk/defaultdb/db/ [-<verbose> ]

clean all, eventdata, globaldata, inputdata, userdata, kvstore 1. Removes data from Splunk installation. eventdata refers to exported events indexed as raw log files.

./splunk clean eventdata

2. globaldata refers to host tags and source type aliases.

./splunk clean globaldata

cluster-manager-redundancy NONE 1. Shows status of all the cluster managers in redundancy mode.

./splunk cluster-manager-redundancy -show-status

2. Switches HA mode of a cluster manager from standby to active.

./splunk cluster-manager-redundancy -switch-mode active

3. Switches HA mode of a cluster manager from active to standby. Consequently, another, currently standby cluster manager gets switched to active automatically.

./splunk cluster-manager-redundancy -switch-mode standby

cmd btprobe, classify, locktest, locktool, pcregextest, searchtest, signtool, toCsv, toSrs, tsidxprobe, walklex 1. Displays the contents in the $SPLUNK_HOME/bin directory.

./splunk cmd /bin/ls

2. Runs the chosen command from the $SPLUNK_HOME/bin directory with the environment variables set. Run splunk envvars to see which environment variables are set.

./splunk cmd locktest

create app 1. Builds myNewApp from a template.

./splunk create app myNewApp -template sample_app

createssl NONE
diag NONE
disable app, boot-start, deploy-client, deploy-server, dist-search, index, listen, local-index, maintenance-mode, perfmon, webserver, web-ssl, wmi 1. Disables the maintenance mode on peers in indexer clustering. Must be invoked on the manager node.

'./splunk disable maintenance-mode'

2. Disables the logs1 collection.

./splunk disable eventlog logs1

display app, boot-start, deploy-client, deploy-server, dist-search, jobs, listen, local-index 1. Displays status information, such as enabled/disabled, for all apps.

./splunk display app

2. Displays status information for the unix app.

./splunk display app unix

edit app, cluster-config, shcluster-config, exec, index, licenser-localpeer, licenser-groups, monitor, saved-search, search-server, tcp, udp, user 1. Edits the current clustering configuration.

./splunk edit cluster-config -mode peer -site site2

2. Edits monitored directory inputs in /var/log and only reads from the end of this file.

./splunk edit monitor /var/log -follow-only true

enable app, boot-start, deploy-client, deploy-server, dist-search, index, listen, local-index, maintenance-mode, perfmon, webserver, web-ssl, wmi 1. Sets the maintenance mode on peers in indexer clustering. Must be invoked on the manager node.

'./splunk enable maintenance-mode'

2. Enables the col1 collection.

./splunk enable perfmon col1

export eventdata, user data 1. Exports data out of your Splunk server into /tmp/apache_raw_404_logs.

./splunk export eventdata -index my_apache_data -dir /tmp/apache_raw_404_logs -host localhost -terms "404 html"

fsck repair, scan, clear-bloomfilter
help NONE
import userdata 1. Imports user accounts data from directory /tmp/export.dat.

./splunk import userdata -dir /tmp/export.dat

install app 1. Installs the app from foo.tar to the local Splunk server.

./splunk install app foo.tar

2. Installs the app from foo.tgz to the local Splunk server.

./splunk install app foo.tgz

list cluster-buckets, cluster-config, cluster-generation, cluster-peers, deploy-clients, excess-buckets, exec, forward-server, index, inputstatus, licenser-groups, licenser-localpeer, licenser-messages, licenser-pools, licenser-peers, licenser-stacks, licenses, jobs, manager-info, monitor, peer-info, peer-buckets, perfmon, saved-search, search-server, tcp, udp, user, wmi 1. Lists all active monitored directory and file inputs. This displays files and directories currently or recently monitored by splunkd for change.

./splunk list monitor

2. Lists all licenses across all stacks.

./splunk list licenses

login,logout NONE
migrate kvstore-storage-engine 1. Migrates the KV store to the target storage engine.

./splunk migrate kvstore-storage-engine --target-engine wiredTiger

offline NONE 1. Used to shutdown the peer in a way that does not affect existing searches. The manager node rearranges the primary peers for buckets, and fixes up the cluster state in case the enforce-counts flag is set.

./splunk offline

2. Because the --enforce-counts flag is used, the cluster is completely fixed up before this peer is taken down.

./splunk offline --enforce-counts

package app 1. Packages the app "stubby" and returns the package location.

./splunk package app stubby

The package command includes local.meta by default. However, if your app package contains local.meta, it will fail AppInspect app validation. To avoid AppInspect failure, use either the -merge-local-meta or -exclude-local-meta flag.

2. When packaging the app, merges local.meta to default.meta and packages the resulting default.meta.

./splunk package app stubby -merge-local-meta true

3. When packaging the app, excludes the local.meta from the app package.

./splunk package app stubby -exclude-local-meta true

rebalance cluster-data 1. Rebalances data for all indexes.

./splunk rebalance cluster-data -action start

2. Rebalances data for a single index using the optional -index parameter.

./splunk rebalance cluster-data -action start -index _internal

3. Rebalances data using the optional -max_runtime parameter to limit the rebalancing activity to 5 minutes.

./splunk rebalance cluster-data start -max_runtime 5

rebuild NONE
reload ad, auth, deploy-server, exec, index, listen, monitor, registry, tcp, udp, perfmon, wmi 1. Reloads your deployment server, in entirety or by server class.

./splunk reload deploy-server

2. Reloads my_serverclass.

./splunk reload deploy-server -class my_serverclass

3. Reloads a specific index configuration. To reload all indexes, do not include an index name.

./splunk reload index [index_name]

remove app, cluster-peers, cluster-manager, excess-buckets, exec, forward-server, index, jobs, licenser-pools, licenses, monitor, saved-search, search-server, tcp, udp, user 1. Removes the cluster manager node from the list of instances the search head searches across. Uses testsecret as the secret/pass4SymmKey.

'./splunk remove cluster-manager https://127.0.0.1:8089 -secret testsecret'

2. Removes the Unix app.

./splunk remove app unix

rollback cluster-bundle Rolls back your Splunk Web configuration bundle to your previous version. From the manager node, run this command:

./splunk rollback cluster-bundle

rolling-restart cluster-peers, shcluster-members
rtsearch app, batch, detach, earliest_time, header, id, index_earliest, index_latest, max_time, maxout, output, preview, rt_id, timeout, uri, wrap 1. Runs a real-time search that does not line-wrap for individual lines.

./splunk rtsearch 'error' -wrap false

2. Runs a real-time search. Use rtsearch exactly as you use the traditional search command.

./splunk rtsearch 'eventtype=webaccess error | top clientip'

search app, batch, detach, earliest_time, header, id, index_earliest, index_latest, latest_time, max_time, maxout, output, preview, timeout, uri, wrap 1. Uses the wildcard as the search object. Triggers an asynchronous search and displays the job id and ttl for the search.

./splunk search '*' -detach true

2. Uses eventtype=webaccess error as the search object. Does not line wrap for individual lines that are longer than the terminal width.

./splunk search 'eventtype=webaccess error' -wrap 0

set datastore-dir, deploy-poll, default-hostname, default-index, indexing-ready, minfreemb, servername, server-type, splunkd-port, web-port, kvstore-port 1. Sets the force indexing ready bit.

./splunk set indexing-ready

2. Sets bologna:1234 as the deployment server to poll updates from.

./splunk set deploy-poll bologna:1234

show config, cluster-bundle-status, datastore-dir, deploy-poll, default-hostname, default-index, jobs, minfreemb, servername, splunkd-port, web-port, kvstore-port, kvstore-status, shcluster-kvmigration-status 1. Shows current logging levels.

./splunk show log-level

2. Shows which deployment server Splunk Enterprise is configured to poll from.

./splunk show deploy-poll

spool NONE
start-shcluster-migration kvstore 1. Migrate the KV store to the target storage engine in a clustered environment.

./splunk start-shcluster-migration kvstore -storageEngine wiredTiger

2. Check to see if the KV store is ready to migrate to the target storage engine.

./splunk start-shcluster-migration kvstore -storageEngine wiredTiger -isDryRun

start,stop,restart splunkd, splunkweb
status splunkd, splunkweb
validate index, files, cluster-bundle 1. Validates the main index and verifies the index paths specified in indexes.conf.

./splunk validate index main

2. For files examples, see Check the integrity of your Splunk software files.
3. For cluster-bundle examples, see Update common peer configurations and apps in the Managing Indexers and Clusters of Indexers manual.
version NONE

Exporting search results with the CLI

You can use the CLI to export large numbers of search results. For information about how to export search results with the CLI, as well as information about the other export methods offered by Splunk Enterprise, see Export search results in the Search Manual.

Troubleshooting with the CLI

The Splunk CLI also includes tools that help with troubleshooting. Invoke these tools using the CLI command cmd:

./splunk cmd <tool>

For the list of CLI utilities, see Command line tools for use with Support in the Troubleshooting Manual.

Last modified on 03 April, 2023
Get help with the CLI   Use the CLI to administer a remote Splunk Enterprise instance

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters