Documentation: 3.1.5
Print Version Contents
This page last updated: 01/28/08 10:01am

Search commands

Use search commands to generate search results from an index or process search results that get generated. Combine search commands in a search to produce specific sets of search results. Or produce complex reports based on search results (using the "|" to "pipe"/separate commands).

Select search commands from the list below to learn how to use them.

See the search syntax page for a description of the search command pipeline in modified BNF (Backus - Naur Form).

Data-generating file, remote, run, savedsearch, search
Saving run, sendemail, outputcsv, outputraw, outputtext, outputxml
Filtering & Re-ordering page, regex, run, set, sort, uniq, where
Transforming & Reporting associate, chart, contingency, correlate, diff, format, rare, run, select, stats, timechart, top, xmlunescape
Evaluating abstract, addtotals, anomalousvalue, bucket, convert, eval, fields, fillnull, kmeans, outlier, rename, replace, run
Extracting extract(kv), multikv, run, xmlkv
Administering run, admin

Use data-generating commands to get data out of a Splunk index.

Saving commands allow you to save data in various formats. Use saving commands to format data for a particular type of output.

Filtering & Re-ordering commands don't change data within results. These commands allow you to filter a result set, and re-order how results appear.

Transforming & Reporting commands allow you to summarize large result sets.

Evaluating commands evaluate each result, and change the fields or values of fields within each result.

Extracting commands add fields to results based on raw event data.

Administering commands allow you to perform administrative functions.


Conventions used in the search reference

Syntax conventions

command argument ... [argument] ...

  • Commands are in bold.
  • Any bolded (and not italicized) character in the command syntax is a required term for the expression.
  • Required arguments are italicized (and can be bold).
  • Optional arguments are in [brackets].
  • " ... " means that many arguments can be inserted.
  • Arguments are defined in a table.
argument= syntax and value(default value) Description, and usage.
  • Default values are shown in parentheses ( ).
  • Arguments that have a table of options associated with them are italicized and in bold (argument).
  • " | " is used as a logical OR.
  • T | F = True OR False.

Other conventions

  • Command examples that are applicable to SplunkWeb are shown in a mock-up of a search bar.

foo | topSearch

  • Command examples that are applicable to the Splunk command line (CLI) are shown in indented fixed-width font.
./splunk search "foo | top"

The run command

The run command makes calls to external perl or python programs that can modify or generate search results. It takes search results as inputs, and outputs the results of the script(s) called.

To disable the running of a script, delete the script out of the splunk_home/etc/searchscripts directory.

Syntax

run (perl OR python) script-name [script-argument] ... [script-argumentN] [maxinputs-arg]

Arguments

script-name= script name The name of the script to execute (minus the path and file extension).
script-argument= script arguments An argument passed to the script.
maxinputs-arg= maxinputs=integer(100) Specify a number of results to pass to the script. If no maxinputs is specified, run will pass up to 10,000 events to scripts.

Examples

404 | run python myscript myarg1 myarg2 | sendemail to= email@site.comSearch

  • Searches for events containing 404, and runs the python script= myscript. Then it sends the results in an email to email@site.com.

The admin command

This data-generating command returns the values of a specified ".conf file.

Syntax

admin configuration file

Arguments

configuration file=bundle name Name of a bundle that corresponds to a Splunk .config file (e.g. eventtypes, inputs, props).

Examples

SplunkWeb:

admin eventtypesSearch

  • Returns the values of the eventtypes.conf file.

CLI:

./splunk search "admin auth"

  • Returns authentication settings in auth.conf.
./splunk search "admin props"
  • Returns processing properties - time zones, breaking characters, etc contained in props.conf.
Previous: Search fields    |    Next: Data-generating commands

Comments

  1. All of these comments have been addressed, and the search language reference is spot on!
    Posted by jrosensteel on Nov 20 2007, 5:19pm

  2. Should the groupby field delimiter for STATS be colons or commas?

    "groupby=field1:field2:field3:...fieldn"
    or
    "groupby=field1,field2,field3,...fieldn"

    I tried the first which per the doco here and it did not work. With commas it seems to work.
    Posted by nclarkau on Aug 29 2007, 8:33pm

  3. This needs to link to the appropriate sqlite documentation page.
    Posted by cfrln on Aug 20 2007, 11:19am

  4. The above mentions "see the bucket operator" but should either link to that or provide the details.
    Posted by cfrln on Aug 14 2007, 12:02pm

Log in to comment.