Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

CLI for search

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4

CLI for search

Note: this page has not been fully updated for 3.0.


The command-line search API supports the exact same syntax as the Splunk box, with additonal parameters.


Actions

  • search

Default Argument

  • search-string (same format as Splunk box)

Parameters

  • -output
    • splunkui (default)
    • scheduler
    • rawevents
  • -format
    • normal (default)
    • xml
  • -get <type>::<range start>-<range end>
    • events (default)
    • types
    • hosts
    • sourcetypes
    • sources

where range is n items returned from the full results. Example:


splunk search 404 -get sources::0-9

returns the first 10 sources from the specified search.


  • future -get parameters (not yet implemented)
    • matching
    • timebuckets
    • report
    • samplesfortypes
    • eventtags
    • sourcetypetags
    • hosttags
    • report

Example 

splunk search -get hosts "smtp NOT success hoursago::1"

By default only 100 events are returned when a search is done from the CLI. This can be changed by adding maxresults:: to your search. For large searches, we recommend you use the "raw" output type to reduce memory usage. 


splunk search -output rawevents "meta::all minutesago::120 maxresults::100000"
Retrieved from "http://www.splunk.com/base/Documentation/3.0/Developer/CLIForSearch"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.