• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
  • CLI searches
• Use the Splunk Command Line Interface (CLI)
  • About Splunk's CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Examples of CLI search
    • Dispatched searches
    • CLI search parameters
• Use form search
  • Form search
    • Run a form search
• Use Live Tail
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Use transaction search
  • Transactions
    • Example use cases
    • The transaction search command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
• Use tagging
  • About tags
    • Search for extracted fields associated with tags
    • Configure tags
    • Configure roles for tagging
• Use reporting
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
• Search reference
  • Splunk search
    • Generate search results
    • Construct searches
    • Types of search
    • Save and schedule searches
    • Tune search performance
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
• Field reference
  • About fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • List of default fields
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Data-generating commands
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transforming and reporting commands
    • associate
    • chart
    • cluster
    • contingency
    • correlate
    • diff
    • format
    • highlight
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extracting commands
    • extract
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
• CLI command reference
  • Splunk Command Line Interface (CLI)
    • CLI commands
    • auth and uri parameters
    • Note for Mac users

Search commands

Use search commands to generate search results from an index or process search results that get generated. Combine search commands in a search to produce specific sets of search results. Or produce detailed reports based on search results (using the "|" ("pipe") to separate commands).

Select search commands from the list below to learn how to use them.

See the search pipeline syntax page for a description of the search command pipeline in modified BNF (Backus - Naur Form).

Use data-generating commands to get data out of a Splunk index.

Filtering & Re-ordering commands don't change data within results. These commands allow you to filter a result set, and re-order how results appear.

Transforming & Reporting commands allow you to summarize large result sets.

Evaluating commands evaluate each result, and change the fields or values of fields within each result.

Extracting commands add fields to results based on raw event data.

Administrative commands allow you to perform administrative functions.

Commands that support multi-value fields

Some commands can process multi-value fields. Multi-value fields allow Splunk to recognize multiple values in a single field value string. Splunk parses multiple values from a field using regular expression delimiters you define in fields.conf (Learn how to configure multi-value fields).

The following commands support multi-value fields:

• chart
• rare
• stats
• timechart
• top

Conventions used in the search reference

Syntax conventions

command argument ... [argument] ...

• Commands are in bold.
• Any bolded (and not italicized) character in the command syntax is a required term for the expression.
• Required arguments are italicized (and can be bold).
• Optional arguments are in [brackets].
• " ... " means that many arguments can be inserted.
• Arguments are defined in a table.

• Default values are shown in parentheses ( ).
• Arguments that have a table of options associated with them are italicized and in bold (argument).
• " | " is used as a logical OR.
• T | F = True OR False.

Other conventions

Command examples that are applicable to Splunk Web are shown in a mock-up of a search bar.

foo | top fooField

./splunk search "foo | top fooField"

Command index

abstract
addtotals
admin
anomalousvalue
associate
audit
bucket
chart
cluster
contingency
convert
correlate
dedup
diff
eval
extract/kv
fields
file
fillnull
format
head
highlight
iplocation
kmeans
localize
multikv
outlier
rare
regex
rename
replace
reverse
rex
run
savedsearch
search
set
sort
stats
strcat
tail
timechart
top
transaction
typelearner
where
xmlkv
xmlunescape