About searches in the CLI
If you use Splunk Enterprise, you can issue search commands from the command line using the Splunk CLI. This topic discusses how to search from the CLI. If you're looking for how to access the CLI and find help for it, refer to "About the CLI" in the Splunk Enterprise Admin Manual.
CLI help for search
You can run historical searches using the search
command, and real-time searches using the rtsearch
command. The following is a table of useful search-related CLI help objects. To see the full help information for each object, type into the CLI:
./splunk help <object>
Object | Description |
---|---|
rtsearch | Returns the parameters and syntax for real-time searches. |
search | Returns the parameters and syntax for historical searches. |
search-commands | Returns a list of search commands that you can use from the CLI. |
search-fields | Returns a list of default fields. |
search-modifiers | Returns a list of search and time-based modifiers that you can use to narrow your search. |
Search in the CLI
Historical and real-time searches in the CLI work the same way as searches in Splunk Web, except that there is no timeline rendered with the search results and there is no default time range. Instead, the results are displayed as a raw events list or a table, depending on the type of search.
- For more information, read "Type of searches" in the Search Overview chapter of the Search Manual.
The syntax for CLI searches is similar to the syntax for Splunk Web searches, except that you can pass parameters outside of the query to specify the time limit of the search, where to run the search, and how results are displayed.
- For more information about the CLI search options, see the next topic in this chapter, "CLI search syntax".
- For more information about how to search remote Splunk servers from your local server, see "Access and use the CLI on a remote server" in the Splunk Enterprise Admin Manual.
runshellscript | Syntax for searches in the CLI |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!