Get help with the CLI
This topic discusses how to access Splunk's built-in CLI help reference, which contains information about the CLI commands and how to use them. This topic also briefly discusses the universal parameters, which are parameters that you can use with any CLI command.
Access CLI help reference
If you need to find a CLI command or syntax for a CLI command, use Splunk's built-in CLI help reference.
To start, you can access the default help information with the help
command:
./splunk help
This will return a list of objects to help you access more specific CLI help topics, such as administrative commands, clustering, forwarding, licensing, searching, etc.
Universal parameters
Some commands require that you authenticate with a username and password, or specify a target host or app. For these commands you can include one of the universal parameters: auth
, app
, or uri
.
./splunk [command] [object] [-parameter <value> | <value>]... [-app] [-owner] [-uri] [-auth]
Parameter | Description |
---|---|
app | Specify the App or namespace to run the command; for search, defaults to the Search App. |
auth | Specify login credentials to execute commands that require you to be logged in. |
owner | Specify the owner/user context associated with an object; if not specified, defaults to the currently logged in user. |
uri | Excute a command on any specified (remote) Splunk server. |
app
In the CLI, app
is an object for many commands, such as create app
or enable app
. But, it is also a parameter that you can add to a CLI command if you want to run that command on a specific app.
Syntax:
./splunk command object [-parameter value]... -app appname
For example, when you run a search in the CLI, it defaults to the Search app. If want to run the search in another app:
./splunk search "eventype=error | stats count by source" -detach f -preview t -app unix
auth
If a CLI command requires authentication, Splunk will prompt you to supply the username and password. You can also use the -auth
flag to pass this information inline with the command. The auth
parameter is also useful if you need to run a command that requires different permissions to execute than the currently logged-in user has.
Syntax:
./splunk command object [-parameter value]... -auth username:password
uri
If you want to run a command on a remote Splunk server, use the -uri
flag to specify the target host.
Syntax:
./splunk command object [-parameter value]... -uri specified-server
Specify the target Splunk server with the following format:
[http|https]://name_of_server:management_port
You can specify an IP address for the name_of_server
. Both IPv4 and IPv6 formats are supported; for example, the specified-server
may read as: 127.0.0.1:80 or "[2001:db8::1]:80". By default, splunkd listens on IPv4 only. To enable IPv6 support, see Configure Splunk Enterprise for IPv6.
Example:
The following example returns search results from the remote "splunkserver" on port 8089.
./splunk search "host=fflanda error 404 *.gif" -auth admin -uri https://splunkserver:8089
For more information about the CLI commands you can run on a remote server, see the next topic in this chapter.
Useful help topics
When you run the default Splunk CLI help, you will see these objects listed.
Administrative CLI commands
You can use the CLI for administrative functions such as adding or editing inputs, updating configuration settings, and searching. If you want to see the list of administrative CLI commands type in:
./splunk help commands
These commands are discussed in more detail in "Administrative CLI commands", the next topic in this manual.
CLI help for indexer clustering
Indexer clustering is a Splunk feature that consists of clusters of indexers configured to replicate data to achieve several goals: data availability, data fidelity, disaster tolerance, and improved search performance.
You can use the CLI to view and edit clustering configurations on the indexer cluster nodes. For the list of commands and parameters related to clustering, type in:
./splunk help clustering
For more information, read "Configure the cluster with the CLI" in the Managing Indexers and Clusters manual.
CLI help for Splunk controls
Use the CLI to start, stop, and restart Splunk server (splunkd
) and web (splunkweb
) processes or check to see if the process is running. For the list of controls, type in:
./splunk help controls
For more information, read "Start and stop Splunk" in the Admin Manual.
CLI help for data management
When you add data to Splunk, Splunk processes it and stores it in an index. By default, data you feed to Splunk is stored in the main index, but you can use the CLI to create and specify other indexes for Splunk to use for different data inputs. To see the list of objects and commands to manage indexes and datastores, type in:
./splunk help datastore
./splunk help index
For more information, read "About managing indexes", "Create custom indexes", and "Remove indexes and data from Splunk" in the Managing Indexers and Clusters manual.
CLI help for distributed search deployments
Use the CLI to view and manage your distributed search configurations. For the list of objects and commands, type in:
./splunk help distributed
For information about distributed search, read "About distributed search" in the Distributed Search manual.
CLI help for forwarding and receiving
Splunk deployments can include dozens or hundreds of forwarders forwarding data to one or more receivers. Use the CLI to view and manage your data forwarding configuration. For the list of forwarding objects and commands, type in:
./splunk help forwarding
For more information, read "About forwarding and receiving" in the Forwarding Data manual.
CLI help for search and real-time search
You can also use the CLI to run both historical and real-time searches. Access the help page about Splunk search and real-time search with:
./splunk help search
./splunk help rtsearch
Also, use objects search-commands
, search-fields
, and search-modifiers
to access the respective help descriptions and syntax:
./splunk help search-commands
./splunk help search-fields
./splunk help search-modifiers
Note: The Splunk CLI interprets spaces as breaks. Use dashes between multiple words for topic names that are more than one word.
To learn more about searching your data with the CLI, refer to "About CLI searches" and "Syntax for CLI searches" in the Search Reference Manual and "Real-time searches and reports in the CLI" in the Search Manual.
About the CLI | Administrative CLI commands |
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!