Search commands

Search commands

Use search commands to generate search results from an index or process search results that get generated. Combine search commands in a search to produce specific sets of search results. Or produce complex reports based on search results (using the "|" to "pipe"/separate commands).

Select search commands from the list below to learn how to use them.

See the search syntax page for a description of the search command pipeline in modified BNF (Backus - Naur Form).

Data-generating	file, remote, run, savedsearch, search
Saving	run, sendemail, outputcsv, outputraw, outputtext, outputxml
Filtering & Re-ordering	page, regex, run, set, sort, uniq, where
Transforming & Reporting	associate, chart, contingency, correlate, diff, format, rare, run, select, stats, timechart, top, xmlunescape
Evaluating	abstract, addtotals, anomalousvalue, bucket, convert, eval, fields, fillnull, kmeans, outlier, rename, replace, run
Extracting	extract(kv), multikv, run, xmlkv
Administering	run, admin

Use data-generating commands to get data out of a Splunk index.

Saving commands allow you to save data in various formats. Use saving commands to format data for a particular type of output.

Filtering & Re-ordering commands don't change data within results. These commands allow you to filter a result set, and re-order how results appear.

Transforming & Reporting commands allow you to summarize large result sets.

Evaluating commands evaluate each result, and change the fields or values of fields within each result.

Extracting commands add fields to results based on raw event data.

Administering commands allow you to perform administrative functions.

---

Conventions used in the search reference

Syntax conventions

command argument ... [argument] ...

• Commands are in bold.
• Any bolded (and not italicized) character in the command syntax is a required term for the expression.
• Required arguments are italicized (and can be bold).
• Optional arguments are in [brackets].
• " ... " means that many arguments can be inserted.
• Arguments are defined in a table.

argument=

syntax and value(default value)

Description, and usage.

• Default values are shown in parentheses ( ).
• Arguments that have a table of options associated with them are italicized and in bold (argument).
• " | " is used as a logical OR.
• T | F = True OR False.

Other conventions

• Command examples that are applicable to SplunkWeb are shown in a mock-up of a search bar.

• Command examples that are applicable to the Splunk command line (CLI) are shown in indented fixed-width font.

./splunk search "foo | top"

---

The run command

The run command makes calls to external perl or python programs that can modify or generate search results. It takes search results as inputs, and outputs the results of the script(s) called.

To disable the running of a script, delete the script out of the splunk_home/etc/searchscripts directory.

Syntax

run (perl OR python) script-name [script-argument] ... [script-argumentN] [maxinputs-arg]

Arguments

script-name=	script name	The name of the script to execute (minus the path and file extension).
script-argument=	script arguments	An argument passed to the script.
maxinputs-arg=	maxinputs=integer(100)	Specify a number of results to pass to the script. If no maxinputs is specified, run will pass up to 10,000 events to scripts.

Examples

• Searches for events containing 404, and runs the python script= myscript. Then it sends the results in an email to email@site.com.

The admin command

This data-generating command returns the values of a specified ".conf file.

Syntax

admin configuration file

Arguments

configuration file=bundle name

Name of a bundle that corresponds to a Splunk .config file (e.g. eventtypes, inputs, props).

Examples

SplunkWeb:

• Returns the values of the eventtypes.conf file.

CLI:

./splunk search "admin auth"

• Returns authentication settings in auth.conf.

./splunk search "admin props"

• Returns processing properties - time zones, breaking characters, etc contained in props.conf.