About searches in the CLI
If you use Splunk Enterprise, you can issue search commands from the command line using the Splunk CLI. This topic discusses how to search from the CLI. If you're looking for how to access the CLI and find help for it, refer to "About the CLI" in the Admin manual.
CLI help for search
You can run historical searches using the
search command, and real-time searches using the
rtsearch command. The following is a table of useful search-related CLI help objects. To see the full help information for each object, type into the CLI:
./splunk help <object>
|rtsearch||Returns the parameters and syntax for real-time searches.|
|search||Returns the parameters and syntax for historical searches.|
|search-commands||Returns a list of search commands that you can use from the CLI.|
|search-fields||Returns a list of default fields.|
|search-modifiers||Returns a list of search and time-based modifiers that you can use to narrow your search.|
Search in the CLI
Historical and real-time searches in the CLI work the same way as searches in Splunk Web, except that there is no timeline rendered with the search results and there is no default time range. Instead, the results are displayed as a raw events list or a table, depending on the type of search.
- For more information, read "Type of searches" in the Search Overview chapter of the Search Manual.
The syntax for CLI searches is similar to the syntax for Splunk Web searches, except that you can pass parameters outside of the query to specify the time limit of the search, where to run the search, and how results are displayed.
Syntax for searches in the CLI
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103