Deprecated search commands

Deprecated search commands

The commands on this page are currently deprecated, or will be deprecated in future versions. When a recommended alternative is available, it is provided in the listing.

If a command is marked as Internal, do not use it unless explicitly instructed to do so by Splunk staff.

nopartial

nopartial: Internal, deprecated in versions 3.2 and later.

Use nopartial to turn off paging in the current search pipeline.

Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.

Syntax

nopartial

Arguments

None.

remote

remote: Deprecated in versions 3.2 and later.

Instead of using remote, use the dispatch CLI command to execute searches on remote machines. Refer to the section on CLI searches in the User manual for details.

To work with remote in versions 3.2 and later, you must use it in conjunction with the page command.

For example, in pre-3.2 Splunk, you'd use remote like this:

./splunk search "remote * [search ishmael] | outputcsv"

In 3.2 and later, the same search looks like this:

./splunk search "| page 0-10 100 [remote * [search ishmael]] | outputcsv"

Use remote to run a search across different remote servers. remote automatically aggregates the results from the different servers, and displays them by time.

Note: You can't push scripts out to machines at search time. If you run a Perl or Python script on a remote machine, that script has to be on the machine on which you want to run the script.

Note: You must use a | (pipe) when you begin searches with remote.

Syntax

| remote server-list [search string]

Arguments

server-list=	server1,...,serverX	Comma or space-separated list of Splunk servers (or can use a "*" to represent all known peers).
search string	Search string to execute on the remote server(s).

Examples

CLI:

./splunk search "| page 0-10 100 [remote * [search ishmael]] | outputcsv"

searchps

searchps: Internal, deprecated in versions 3.2 and later.

Splunk uses searchps to display a list of currently running searches.

Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.

Syntax

searchps

Arguments

None.

select

select: Deprecated in versions 3.3 and later.

Runs an SQLite statement against the search results using the SQLite syntax. Before the select command is executed, the previous search results are put into a temporary database table called "results". If a row has no values, "select" ignores it to prevent blank search results. All fields referenced in the select command must be prefixed with an underscore.

Note: Be aware that the select command may cause searches to run slow. If you have an operation that you are using select for (such as statistical operations), try using another Splunk command (in this case - stats).

See the SQLite online documentation for details on SQLite syntax, arguments, and expressions.

Syntax

select select-arg

Arguments

select-arg

A valid SQLite statement using the SQLite syntax.

Note: Select does not support the SQLite operators | and | | (double-bar and single-bar). This is because "|" is used in Splunk's search language to separate commands in a search string.

Note: When using field names in the select command, you must prepend them with an underscore "_". For example: the field "dest" or "port", they must be expressed as: "_dest" and "_port" in your select command expression.

Examples

Splunk Web:

This example returns a table with one column. URLs not from localhost.

CLI:

This example Returns IP addresses that start with "12" and end with "255".

./splunk search "* | select _ip FROM results WHERE _ip regexp "^12.*255$""

Use Instead

If you used select for groupby calculations or selecting all extracted fields, the preferred method:

• For "group by" calculations, is to use the stats command: | stats <operator> by <fields>
• For selecting all extracted fields (i.e. sourcetype=foo | select *), is to use the fields command: | fields *

streamedcsv

streamedcsv: Internal, deprecated in versions 3.2 and later. Use streamedcsv to test the dispatch search command. It is not meant to be used in searches.

Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.

Syntax

streamedcsv

Arguments

None.

summary

summary: Internal, deprecated in versions 3.2 and later.

Splunk Web uses summary when rendering the field list in report mode.

Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.

Syntax

summary

Arguments

None.

timeline

timeline: Internal, deprecated in versions 3.2 and later.

Splunk Web uses timeline to replace all search results with timeline bucket results when rendering its timeline. timeline will be deprecated once Splunk Web fully supports asynchronous searching.

Note: Do not use commands marked Internal unless explicitly instructed to do so by Splunk staff.

Syntax

timeline [maxbuckets] [top] [bottom]

Arguments

maxbuckets	maxbuckets=integer	Set the maximum number of buckets.
top	top=integer	Set the number of top values to store.
bottom	bottom=integer	Set the number of bottom values to store.

uniq

uniq has been deprecated, is no longer supported, and may be removed from future releases. Use the dedup command instead.

The uniq command filters results by removing exact duplicates of results from the search result list. The returned result list contains the first instance of each unique item in the results returned by your search.

Syntax

uniq

Arguments

None.

Examples

Splunk Web:

This example searches the main index for 404 errors for any URL with "/doc", removes duplicate entries (with uniq), and then yields a report of the top 10 404's based on the referer.

This example searches for events with the term "404", extracts a pre-defined field (in transforms.conf) "referer", then strips the events of all duplicates, and displays the first 10 unique events.