• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
  • CLI searches
• Use the Splunk Command Line Interface (CLI)
  • The Splunk CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Asynchronous searches (dispatch CLI command)
    • CLI search parameters
• Use form search
  • Form search
    • Run a form search
• Use Live Tail
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Use transaction search
  • Transactions
    • Useful transactions
    • The transaction command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
• Use tagging
  • About tags
    • Search for events containing tags
    • Configure tags
    • Configure roles for tagging
• Use reporting
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
• Search reference
  • Splunk search
    • Generate search results
    • Construct searches
    • Form searches
    • Macro searches
    • Transactions
    • Live tail
    • Save and schedule searches
    • Asynchronous searches
    • CLI searches
    • Tune search performance
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
• Field reference
  • Fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • Field list
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Data-generating commands
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transforming and reporting commands
    • associate
    • chart
    • cluster
    • contingency
    • correlate
    • diff
    • format
    • highlight
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extracting commands
    • extract
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
• CLI command reference
  • Splunk Command Line Interface (CLI)
    • CLI commands
    • auth and uri parameters
    • Note for Mac users

Search in the CLI

Run searches in the CLI using the CLI search command. Searches in the CLI work the same way as searches in Splunk Web except there is no timeline rendered with the search results, and a time range isn't specified by default.

Access these CLI help pages from the command line for help with CLI searches:

For a complete list of search commands available in the CLI type:

./splunk help search-commands

For a quick reference on CLI search command syntax type:

./splunk help commands

CLI Search syntax

In general, the syntax you use for search commands and arguments in the CLI is the same as you use in Splunk Web. In Splunk Web the search command is automatically prepended to a search when you use the search bar. You can search for anything you would normally search for in the CLI by using the CLI search command.

When you search using the CLI search command, quote the search string (argument of the search command) with single-quotes. You can use double-quotes, but this can cause parsing errors when you use double-quotes to express field arguments.

General form of a CLI search command string:

./splunk search 'search string' [-parameter] 

Example:
This search selects events whose _raw field contains ip addresses in the non-routable class A (10.0.0.0/8).

./splunk search '* | regex _raw="(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)" '

Differences between CLI and Splunk Web searches

• Remember to quote search strings using single quotes to avoid any parsing errors.
• You can't use search commands that produce charts or graphs in the CLI.
• Use * to search for all events in a CLI search (example: ./splunk search '* | top' - returns top 10 events from all your data).
• Use time-based search modifiers to specify time ranges for your CLI searches.

Examples

These examples illustrate the difference between searches in Splunk Web and searches in the CLI.

This example selects events whose _raw field contains IP addresses in the non-routable class A (10.0.0.0/8).

Splunk Web:

| regex _raw=(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)

CLI:

./splunk search '* | regex _raw="(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)" '

This example returns all URLs that have 404 errors but not 303 errors.

Splunk Web:

index=sampledata | set diff [search 404 | select url] [search 303 | fields url]

./splunk search ' index="sampledata" | set intersect [search "404 | select url"] [search "303 | fields url"] '

This example extracts the COMMAND field only when it occurs in rows that contain "splunkd".

Splunk Web:

| multikv fields COMMAND filter splunkd

./splunk search ' * | multikv fields COMMAND filter splunkd '

Asynchronous searches (dispatch CLI command)

The Splunk CLI allows you to run multiple searches asynchronously using the dispatch CLI command. Use dispatch to report on a large amount of data where the search could take days and you still want to be able to run other searches with Splunk. dispatch works the same way as search except you are not limited to running a single search. Set when to end a dispatch search by setting a maximum time (-maxtime) or a maximum number of results to output (-maxout).

To run more than one dispatch (search):
1. Execute a dispatch command in your current shell window.
2. (Leave your current window open.) Open a new shell window.
3. Execute another dispatch command.
Repeat!

Access the dispatch CLI help page at the command line for full detail of its syntax:

./splunk help dispatch

Note: Use dispatch to search without a maximum result limit.

Syntax

dispatch uses the same syntax as the CLI search command.

./splunk dispatch 'search string' [-parameter]

Optional parameters

Caution: Do not set the optional parameter -maxout to a large value near the max value. Setting a large value causes Splunk to hang indefinitely in some cases.

Examples

This example starts a search for events on all sources that contain "hot" and returns the count of events. The maxtime parameter sets the search to only run for 3 seconds.

./splunk dispatch "source=*hot* | stats count" -maxtime 3

This example searches for events from the access source types with byte counts greater than 1000. The maxout parameter sets the search to run until its returned 200 search results.

./splunk dispatch "sourcetype=access* bytes>1000" -maxout 200 

CLI search parameters

maxresults

By default, Splunk returns 100 search results when you search in the CLI. Splunk also passes only 100 search results as arguments to search commands in your search pipeline. Change the maximum number of results passed to search commands by using the -maxresults parameter of the CLI search command.

Set a new value for maxresults (0-50000) by adding the maxresults parameter after your search string.

Caution: Setting -maxresults to a high value causes searches to run very slow. Splunk recommends that you search in Splunk Web if you want your search to return a higher number of results.

Syntax:

./splunk search 'search string' -maxresults <value>

Example:

This example searches for 404's from web server events and returns only 5000 events (by setting -maxresults 5000).

./splunk search '404 host=webserver bigcompany.com | top source'  -maxresults 5000