Topics

| pdf version

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Search commands

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

Search commands

For the most part, search commands fall into categories based on what they do, such as: filter unwanted information, extract more information, evaluate your data, transform your data into statistical results, and reorder your results. The specific commands themselves may fit more than one category depending on the arguments you use.

Generally:

  • Data-generating commands get data out of a Splunk index.
  • Filtering and re-ordering commands don't change data within results. These commands allow you to filter a result set, and re-order how results appear.
  • Transforming and reporting commands allow you to summarize large result sets, and create useful reports and statistics.
  • Evaluating commands evaluate each result, and change the fields or values of fields within each result.
  • Extracting commands add fields to results based on raw event data.
  • Administrative commands allow you to perform administrative functions.

Note: Some commands can process fields with multiple values; for more information read About fields in the User Manual.

For quick reference, the table below lists all supported Splunk search commands with a short description. Click on a command to redirect to its reference page.

If you want to start searching right away, refer to the Splunk search cheatsheet.


Search command index

Command Alias(es) Description Related commands
abstract excerpt Produces a summary of each search result. highlight
addinfo Add fields that contain common information about the current search.
addtotals Computes the sum of all numeric fields for each result. stats
admin Returns the values of a specified configuration file.
anomalousvalue Finds and summarizes irregular, or uncommon, search results. anomalies, cluster, kmeans, outlier
associate Searches for relationships between pairs of fields. correlate, contingency
audit View audit trail information that is stored in the local audit index.
bucket bin, discretize Puts continuous numerical values into discrete buckets. chart, timechart
chart Returns results in a tabular output for charting. bucket, timechart
cluster sic Clusters similar events together. anomalies, anomalousvalue, cluster, kmeans, outlier
collect stash Puts search results into a summary index. overlap
contingency counttable, ctable Builds a contingency table for two fields. associate, correlate
convert Converts field values into numerical values.
correlate Calculates the correlation between different fields. associate, contingency
crawl Crawls the filesystem for new sources to index.
dedup Removes subsequent results that match a specified criteria.
diff Returns the difference between two search results.
eval Calculates an expression and puts the value into a field. where
eventstats Adds summary statistics to all search results. stats
extract kv Extracts field-value pairs from search results. kvform, multikv, xmlkv, rex
fields Removes fields from search results.
file test Processes the given file as if it were indexed.
fillnull Replaces null values with a specified value.
format Takes the results of a subsearch and formats them into a single result.
head Returns the first number n of specified results. reverse, tail
highlight Causes Splunk Web to highlight specified terms.
iplocation Extracts location information from IP addresses.
join SQL-like joining of results from the main results pipeline with the results from the subpipeline.
kmeans Performs k-means clustering on selected fields. anomalies, anomalousvalue, cluster, outlier
localize Returns a list of the time ranges in which the search results were found. map, transaction
makemv Change a specified field into a multi-valued field during a search. mvcombine, mvexpand, nomv
metadata Returns a list of host, source, or source type values.
multikv Extracts field-values from table-formatted events.
mvcombine Combines events in search results that have a single differing field value into one result with a multi-value field of the differing field. mvexpand, makemv, nomv
mvexpand Expands the values of a multi-value field nto separate events for each value of the multi-value field. mvcombine, makemv, nomv
nomv Changes a specified multi-valued field into a single-value field at search time. makemv, mvcombine, mvexpand
outlier outlierfilter Removes outlying numerical values. anomalies, anomalousvalue, cluster, kmeans
overlap Finds events in a summary index that overlap in timeave missed events. collect
rare Displays the least common values of a field. top, stats
regex Removes results that match the specified regular expression. rex, search
rename Renames a specified field; wildcards can be used to specify multiple fields.
replace Replaces values of specified fields with a specified new value.
reverse Reverses the order of the results. head, sort, tail
rex Specify a Perl regular expression named groups to extract fields while you search. extract, kvform, multikv, xmlkv, regex
run Runs an external Perl or Python script as part of your search.
savedsearch macro, savedsplunk Returns the search results of a saved search.
search Searches Splunk indexes for matching events.
set Performs set operations on subsearches.
sort Sorts search results by the specified fields. reverse
stats Provides statistics, grouped optionally by fields. eventstats, top, rare
strcat Concatenates string values.
tail Returns the last number n of specified results. head, reverse
timechart Create a time series chart and corresponding table of statistics. chart, bucket
top common Displays the most common values of a field. rare, stats
transaction transam Groups search results into transactions.
typelearner Generates suggested eventtypes. typer
where Performs arbitrary filtering on your data. eval
xmlkv Extracts XML key-value pairs. extract, kvform, multikv, rex
xmlunescape Unescapes XML.

Search command reference syntax

See the search pipeline syntax page for a description of the search command pipeline in modified BNF (Backus - Naur Form).

Command syntax and conventions

Each command in this search reference is formatted:

command argument ... [argument] ...

  • Commands are in bold.
  • Any bolded (and not italicized) character in the command syntax is required for the expression.
  • Required arguments are italicized (and can be bold). Optional arguments are in [brackets].
  • Ellipses, ..., indicate that many arguments can be inserted.

Arguments are defined in a table, such as:

argument syntax and value(default value) Description, and usage.
  • Default values are shown in parentheses ( ).
  • Arguments that have a table of options associated with them are italicized and in bold (argument).
  • The pipe character, |, is used as a logical OR, for example T | F means "True OR False".

Examples conventions

Command examples that are applicable to Splunk Web are shown in a mock-up of a search bar.

foo | top fooFieldSearch

Command examples that are applicable to the Splunk command line (CLI) are shown in indented fixed-width font. 

./splunk search "foo | top fooField"
Retrieved from "http://www.splunk.com/base/Documentation/3.4.3/User/SearchCommands"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.