• Overview
  • Overview
• User Interface
  • User Interface
    • Skinning SplunkWeb
  • Splunk toolbar for Firefox
  • Permalinks
    • Parameters
    • Unsupported Parameters
    • Examples
  • Configuring SplunkWeb
    • Skins
    • Localization
  • Scripting the Splunk search command
  • REST API
    • Messages
    • Authentication
    • Search
    • Enabling/disabling REST configuration options
    • Examples
  • SOAP API
    • How Splunk uses SOAP
    • Using the PCL to Make SOAP Requests
    • Additional PCL Search Examples
    • Creating SOAP Requests
    • SOAP Message Examples
    • SOAP error messages
• Data Inputs
  • Data Inputs
  • Input config
  • Scripted inputs
    • Configuration
    • Example
  • Understanding modules and processors
    • Default processors and pipelines
    • Pipeline data keys
    • Changing the default parsing and indexing sequence
    • Adding custom processors
  • Coding C/C++ processors
    • Writing Your Callback Function
    • Write Main
    • Add a Processor Config Stanza to Pipeline
  • Complete C Example
  • Complete C++ Example
  • Selecting events to process with a bundle
    • Create the Processor
    • Create the Module
    • Create the Bundle
    • Add an Additional Processor
• Data Outputs
  • Data Outputs
  • Customizing alert options
    • Email alerts
  • CLI for search
    • Actions
    • Default Argument
    • Parameters
    • Example
  • TCP Output
  • XML API for data output
• Management
  • Management
  • Authentication
    • Command Authentication
    • Parameters
    • Examples
    • Session Authentication
    • Examples
  • CLI for management
    • User Accounts
    • Controls
  • Configuring splunkd
    • Creating default logins on first startup
    • Changing the SSL configuration
  • XML API for management

CLI for search

Note: this page has not been fully updated for 3.0.

The command-line search API supports the exact same syntax as the Splunk box, with additonal parameters.

Actions

• search

Default Argument

• search-string (same format as Splunk box)

Parameters

• -output
  • splunkui (default)
  • scheduler
  • rawevents

• -format
  • normal (default)
  • xml

• -get <type>::<range start>-<range end>
  • events (default)
  • types
  • hosts
  • sourcetypes
  • sources

where range is n items returned from the full results. Example:

splunk search 404 -get sources::0-9

returns the first 10 sources from the specified search.

• future -get parameters (not yet implemented)
  • matching
  • timebuckets
  • report
  • samplesfortypes
  • eventtags
  • sourcetypetags
  • hosttags
  • report

Example

splunk search -get hosts "smtp NOT success hoursago::1"

By default only 100 events are returned when a search is done from the CLI. This can be changed by adding maxresults:: to your search. For large searches, we recommend you use the "raw" output type to reduce memory usage.

splunk search -output rawevents "meta::all minutesago::120 maxresults::100000"