Related Answers
Download topic as PDF
Search commands by category
The search commands that make up the Splunk Light search processing language are a subset of the Splunk Enterprise search commands. The tables below list the commands that make up the Splunk Light search processing language and is categorized by their usage. Some commands fit into more than one category based on the options that you specify.
This topic links to the Splunk Enterprise Search Reference for each search command.
Correlation
These commands can be used to build correlation searches.
| Command | Description |
|---|---|
append
|
Appends subsearch results to current results. |
appendcols
|
Appends the fields of the subsearch results to current results, first results to first result, second to second, etc. |
appendpipe
|
Appends the result of the subpipeline applied to the current result set to results. |
arules
|
Finds association rules between field values. |
associate
|
Identifies correlations between fields. |
contingency, counttable, ctable
|
Builds a contingency table for two fields. |
correlate
|
Calculates the correlation between different fields. |
diff
|
Returns the difference between two search results. |
join
|
SQL-like joining of results from the main results pipeline with the results from the subpipeline. |
selfjoin
|
Joins results with itself. |
set
|
Performs set operations (union, diff, intersect) on subsearches. |
stats
|
Provides statistics, grouped optionally by fields. See Functions for stats, chart, and timechart in the Splunk Enterprise Search Reference. |
transaction
|
Groups search results into transactions. |
Data and indexes
These commands can be used to learn more about your data and manager your data sources.
View data
These commands return information about the data you have in your indexes. They do not modify your data or indexes in any way.
| Command | Description |
|---|---|
audit
|
Returns audit trail information that is stored in the local audit index. |
dbinspect
|
Returns information about the specified index. |
eventcount
|
Returns the number of events in an index. |
metadata
|
Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. |
typeahead
|
Returns typeahead information on a specified prefix. |
Manage data
These are some commands you can use to add data sources to or delete specific data from your indexes.
| Command | Description |
|---|---|
delete
|
Delete specific events or search results. |
input
|
Adds sources to Splunk or disables sources from being processed by Splunk. |
Fields
These are commands you can use to add, extract, and modify fields or field values. The most useful command for manipulating fields is eval and its functions.
Add fields
Use these commands to add new fields.
| Command | Description |
|---|---|
accum
|
Keeps a running total of the specified numeric field. |
addinfo
|
Add fields that contain common information about the current search. |
addtotals
|
Computes the sum of all numeric fields for each result. |
delta
|
Computes the difference in field value between nearby results. |
eval
|
Calculates an expression and puts the value into a field. See Functions for eval and where in the Splunk Enterprise Search Reference. |
iplocation
|
Adds location information, such as city, country, latitude, longitude, and so on, based on IP addresses. |
multikv
|
Extracts field-values from table-formatted events. |
rangemap
|
Sets RANGE field to the name of the ranges that match. |
relevancy
|
Adds a relevancy field, which indicates how well the event matches the query. |
strcat
|
Concatenates string values and saves the result to a specified field. |
Extract fields
These commands provide different ways to extract new fields from search results.
| Command | Description |
|---|---|
erex
|
Allows you to specify example or counter example values to automatically extract fields that have similar values. |
extract, kv
|
Extracts field-value pairs from search results. |
kvform
|
Extracts values from search results, using a form template. |
rex
|
Specify a Perl regular expression named groups to extract fields while you search. |
spath
|
Provides a straightforward means for extracting fields from structured data formats, XML and JSON. |
xmlkv
|
Extracts XML key-value pairs. |
Modify fields and field values
Use these commands to modify fields or their values.
| Command | Description |
|---|---|
convert
|
Converts field values into numerical values. |
filldown
|
Replaces NULL values with the last non-NULL value. |
fillnull
|
Replaces null values with a specified value. |
makemv
|
Change a specified field into a multivalued field during a search. |
nomv
|
Changes a specified multivalued field into a single-value field at search time. |
reltime
|
Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field, 'reltime', in your search results. |
rename
|
Renames a specified field; wildcards can be used to specify multiple fields. |
replace
|
Replaces values of specified fields with a specified new value. |
Find anomalies
These commands are used to find anomalies in your data. Either search for uncommon or outlying events and fields or cluster similar events together.
| Command | Description |
|---|---|
analyzefields, af
|
Analyze numerical fields for their ability to predict another discrete field. |
anomalies
|
Computes an "unexpectedness" score for an event. |
anomalousvalue
|
Finds and summarizes irregular, or uncommon, search results. |
cluster
|
Clusters similar events together. |
kmeans
|
Performs k-means clustering on selected fields. |
outlier
|
Removes outlying numerical values. |
rare
|
Displays the least common values of a field. |
Geoip and location
These commands add geographical information to your search results.
| Command | Description |
|---|---|
iplocation
|
Returns location information, such as city, country, latitude, longitude, and so on, based on IP addresses. |
geostats
|
Generate statistics which are clustered into geographical bins to be rendered on a world map. |
Metrics
These commands work with metrics data.
| Command | Description |
|---|---|
mcollect
|
Converts events into metric data points and inserts the data points into a metric index on the search head. |
meventcollect
|
Converts events into metric data points and inserts the data points into a metric index on indexer tier. |
mstats
|
Calculates visualization-ready statistics for the measurement, metric_name, and dimension fields in metric indexes.
|
Prediction and trending
These commands predict future values and calculate trendlines that can be used to create visualizations.
| Command | Description |
|---|---|
predict
|
Enables you to use time series algorithms to predict future values of fields. |
trendline
|
Computes moving averages of fields. |
x11
|
Enables you to determine the trend in your data by removing the seasonal pattern. |
Reports
These commands are used to build transforming searches. These commands return statistical data tables required for charts and other kinds of data visualizations.
| Command | Description |
|---|---|
addtotals
|
Computes the sum of all numeric fields for each result. |
bin, discretize
|
Puts continuous numerical values into discrete sets. |
chart
|
Returns results in a tabular output for charting. See Statistical and charting functions in the Splunk Enterprise Search Reference. |
contingency, counttable, ctable
|
Builds a contingency table for two fields. |
correlate
|
Calculates the correlation between different fields. |
eventcount
|
Returns the number of events in an index. |
eventstats
|
Adds summary statistics to all search results. |
gauge
|
Transforms results into a format suitable for display by the Gauge chart types. |
makecontinuous
|
Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) |
mstats
|
Calculates statistics for the measurement, metric_name, and dimension fields in metric indexes. |
outlier
|
Removes outlying numerical values. |
rare
|
Displays the least common values of a field. |
stats
|
Provides statistics, grouped optionally by fields. See Statistical and charting functions in the Splunk Enterprise Search Reference. |
streamstats
|
Adds summary statistics to all search results in a streaming manner. |
timechart
|
Create a time series chart and corresponding table of statistics. See Statistical and charting functions in the Splunk Enterprise Search Reference. |
top
|
Displays the most common values of a field. |
trendline
|
Computes moving averages of fields. |
untable
|
Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.
|
xyseries
|
Converts results into a format suitable for graphing. |
Results
These commands can be used to manage search results. For example, you can append one set of results with another, filter more events from the results, reformat the results, and so on.
Alerting
Use this command to email the results of a search.
| Command | Description |
|---|---|
sendemail
|
Emails search results, either inline or as an attachment, to one or more specified email addresses. |
Append
Use these commands to append one set of results with another set or to itself.
| Command | Description |
|---|---|
append
|
Appends subsearch results to current results. |
appendcols
|
Appends the fields of the subsearch results to current results, first results to first result, second to second, and so on. |
join
|
SQL-like joining of results from the main results pipeline with the results from the subpipeline. |
selfjoin
|
Joins results with itself. |
Filter
Use these commands to remove more events or fields from your current results.
| Command | Description |
|---|---|
dedup
|
Removes subsequent results that match a specified criteria. |
fields
|
Removes fields from search results. |
mvcombine
|
Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. |
regex
|
Removes results that do not match the specified regular expression. |
searchtxn
|
Finds transaction events within specified search constraints. |
table
|
Creates a table using the specified fields. |
uniq
|
Removes any search that is an exact duplicate with a previous result. |
where
|
Performs arbitrary filtering on your data. See Evaluation functions in the Splunk Enterprise Search Reference. |
Format
Use these commands to reformat your current results.
| Command | Description |
|---|---|
untable
|
Converts results from a tabular format to a format similar to stats output. Inverse of xyseries and maketable.
|
xyseries
|
Converts results into a format suitable for graphing. |
Generate
Use these commands to generate or return events.
| Command | Description |
|---|---|
gentimes
|
Returns results that match a time-range. |
loadjob
|
Loads events or results of a previously completed search job. |
mvexpand
|
Expands the values of a multivalue field into separate events for each value of the multivalue field. |
savedsearch
|
Returns the search results of a saved search. |
search
|
Searches Splunk indexes for matching events. This command is implicit at the start of every search pipeline that does not begin with another generating command. |
Group
Use these commands to group or classify the current results.
| Command | Description |
|---|---|
cluster
|
Clusters similar events together. |
kmeans
|
Performs k-means clustering on selected fields. |
mvexpand
|
Expands the values of a multivalue field into separate events for each value of the multivalue field. |
transaction
|
Groups search results into transactions. |
typer
|
Calculates the eventtypes for the search results. |
Reorder
Use these commands to change the order of the current search results.
| Command | Description |
|---|---|
head
|
Returns the first number n of specified results. |
reverse
|
Reverses the order of the results. |
sort
|
Sorts search results by the specified fields. |
tail
|
Returns the last number N of specified results |
Read
Use these commands to read in results from external files or previous searches.
| Command | Description |
|---|---|
inputcsv
|
Loads search results from the specified CSV file. |
loadjob
|
Loads events or results of a previously completed search job. |
Write
Use these commands to define how to output current search results.
| Command | Description |
|---|---|
mcollect
|
Converts events into metric data points and inserts the data points into a metric index on the search head. |
meventcollect
|
Converts events into metric data points and inserts the data points into a metric index on indexer tier. |
outputcsv
|
Outputs search results to a specified CSV file. |
outputtext
|
Ouputs the raw text field (_raw) of results into the _xml field.
|
sendemail
|
Emails search results, either inline or as an attachment, to one or more specified email addresses. |
Search
| Command | Description |
|---|---|
map
|
A looping operator, performs a search over each search result. |
search
|
Searches Splunk indexes for matching events. This command is implicit at the start of every search pipeline that does not begin with another generating command. |
sendemail
|
Emails search results, either inline or as an attachment, to one or more specified email addresses. |
Subsearch
These are commands that you can use with subsearches.
| Command | Description |
|---|---|
append
|
Appends subsearch results to current results. |
appendcols
|
Appends the fields of the subsearch results to current results, first results to first result, second to second, and so on. |
appendpipe
|
Appends the result of the subpipeline applied to the current result set to results. |
format
|
Takes the results of a subsearch and formats them into a single result. |
join
|
SQL-like joining of results from the main results pipeline with the results from the subpipeline. |
return
|
Specify the values to return from a subsearch. |
set
|
Performs set operations (union, diff, intersect) on subsearches. |
Time
Use these commands to search based on time ranges or add time information to your events.
| Command | Description |
|---|---|
gentimes
|
Returns results that match a time-range. |
localize
|
Returns a list of the time ranges in which the search results were found. |
reltime
|
Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field, 'reltime', in your search results. |
|
PREVIOUS List of search commands |
NEXT About data visualizations |
This documentation applies to the following versions of Splunk® Light (Legacy): 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6
Feedback submitted, thanks!