Documentation:
3.1.3
This page last updated: 01/28/08 10:01am
Search commands
Use search commands to generate search results from an index or process search results that get generated. Combine search commands in a search to produce specific sets of search results. Or produce complex reports based on search results (using the "|" to "pipe"/separate commands).
Select search commands from the list below to learn how to use them.
See the search syntax page for a description of the search command pipeline in modified BNF (Backus - Naur Form).
| Data-generating | file, remote, run, savedsearch, search |
| Saving | run, sendemail, outputcsv, outputraw, outputtext, outputxml |
| Filtering & Re-ordering | page, regex, run, set, sort, uniq, where |
| Transforming & Reporting | associate, chart, contingency, correlate, diff, format, rare, run, select, stats, timechart, top, xmlunescape |
| Evaluating | abstract, addtotals, anomalousvalue, bucket, convert, eval, fields, fillnull, kmeans, outlier, rename, replace, run |
| Extracting | extract(kv), multikv, run, xmlkv |
| Administering | run, admin |
Use data-generating commands to get data out of a Splunk index.
Saving commands allow you to save data in various formats. Use saving commands to format data for a particular type of output.
Filtering & Re-ordering commands don't change data within results. These commands allow you to filter a result set, and re-order how results appear.
Transforming & Reporting commands allow you to summarize large result sets.
Evaluating commands evaluate each result, and change the fields or values of fields within each result.
Extracting commands add fields to results based on raw event data.
Administering commands allow you to perform administrative functions.
Conventions used in the search reference Syntax conventions
command argument ... [argument] ...
- Commands are in bold.
- Any bolded (and not italicized) character in the command syntax is a required term for the expression.
- Required arguments are italicized (and can be bold).
- Optional arguments are in [brackets].
- " ... " means that many arguments can be inserted.
- Arguments are defined in a table.
| argument= | syntax and value(default value) | Description, and usage. |
- Default values are shown in parentheses ( ).
- Arguments that have a table of options associated with them are italicized and in bold (argument).
- " | " is used as a logical OR.
- T | F = True OR False.
- Command examples that are applicable to SplunkWeb are shown in a mock-up of a search bar.
foo | top
- Command examples that are applicable to the Splunk command line (CLI) are shown in indented fixed-width font.
./splunk search "foo | top"
The run command
The run command makes calls to external perl or python programs that can modify or generate search results. It takes search results as inputs, and outputs the results of the script(s) called.
To disable the running of a script, delete the script out of the splunk_home/etc/searchscripts directory.
Syntaxrun (perl OR python) script-name [script-argument] ... [script-argumentN] [maxinputs-arg]
Arguments| script-name= | script name | The name of the script to execute (minus the path and file extension). |
| script-argument= | script arguments | An argument passed to the script. |
| maxinputs-arg= | maxinputs=integer(100) | Specify a number of results to pass to the script. If no maxinputs is specified, run will pass up to 10,000 events to scripts. |
404 | run python myscript myarg1 myarg2 | sendemail to= email@site.com- Searches for events containing 404, and runs the python script= myscript. Then it sends the results in an email to email@site.com.
This data-generating command returns the values of a specified ".conf file.
Syntaxadmin configuration file
Arguments| configuration file=bundle name | Name of a bundle that corresponds to a Splunk .config file (e.g. eventtypes, inputs, props). |
SplunkWeb:
admin eventtypes- Returns the values of the eventtypes.conf file.
CLI:
./splunk search "admin auth"
- Returns authentication settings in auth.conf.
./splunk search "admin props"
- Returns processing properties - time zones, breaking characters, etc contained in props.conf.
Previous: Search fields | End
Comments
All of these comments have been addressed, and the search language reference is spot on!
Posted by jrosensteel on Nov 20 2007, 5:19pm
Should the groupby field delimiter for STATS be colons or commas?
"groupby=field1:field2:field3:...fieldn"
or
"groupby=field1,field2,field3,...fieldn"
I tried the first which per the doco here and it did not work. With commas it seems to work.
Posted by nclarkau on Aug 29 2007, 8:33pm
This needs to link to the appropriate sqlite documentation page.
Posted by cfrln on Aug 20 2007, 11:19am
The above mentions "see the bucket operator" but should either link to that or provide the details.
Posted by cfrln on Aug 14 2007, 12:02pm