• About this manual
  • What's in this guide?
• About Splunk
  • About Splunk
  • About Splunk licenses
    • Which license?
    • Install your license
    • License violations
• Tutorial
  • About this tutorial
    • Requirements
    • Log in
    • Splunk Web
    • Command line interface (CLI)
  • Simple searches
    • Index data
    • Search
    • Narrow your search
    • Use the timeline
  • Search results
    • Events and fields
    • Filter on fields
    • Define custom fields
    • Tag fields
    • Collect snapshots
  • Event types
    • Find similar events
    • Save as event type
    • Search for an event type
    • Tag an event type
    • Automated event type discovery
  • Save options
    • Save a search
    • Schedule the search
    • Schedule an alert
  • Reports
    • Report on results
    • Report on fields
    • Build new reports
    • Pick different charts
    • Add a report to your dashboard
  • More searches
    • Report
    • Transform
    • Re-order
    • Filter
    • Evaluate
    • Add a comparison
    • Use subsearches
  • CLI searches
• Use the Splunk Command Line Interface (CLI)
  • About Splunk's CLI
    • Access help in the CLI
    • CLI commands
    • auth and uri parameters
    • Note for Mac users
    • Start live tail
  • Search in the CLI
    • CLI Search syntax
    • Examples of CLI search
    • Dispatched searches
    • CLI search parameters
• Use form search
  • Form search
    • Run a form search
• Use Live Tail
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the CLI
    • Current limitations
• Use transaction search
  • Transactions
    • Example use cases
    • The transaction search command
    • Example transaction searches
    • Transactions and macro search
    • When to not use transactions
• Use tagging
  • About tags
    • Search for extracted fields associated with tags
    • Configure tags
    • Configure roles for tagging
• Use reporting
  • Chart gallery
    • Column (or bar) chart
    • Stacked column (or bar) chart
    • Line chart
    • Area chart
    • Stacked area chart
    • Scatter plot
    • Pie graph
    • Doughnut graph
    • Bubble graph
    • Heat map
  • Examples of useful reports
    • Internal Splunk log data
    • System monitoring data
    • Web access data
    • Web application data
    • Firewall (or connection) activity
    • Email activity or email transactions
    • Transaction data
• Search reference
  • Splunk search
    • Generate search results
    • Construct searches
    • Types of search
    • Save and schedule searches
    • Tune search performance
  • Search syntax
    • Keyword search
    • Literals ("quotes")
    • Wildcards
    • Punctuation marks
    • Boolean operators
    • Comparison operators
  • Search pipeline syntax
    • Search pipeline syntax
    • Subsearch syntax
• Field reference
  • About fields
    • Use fields in Splunk Web
    • Field syntax
    • Field naming
    • Multi-value fields
  • List of default fields
    • _index
    • _raw
    • _time
    • date_hour
    • date_mday
    • date_minute
    • date_month
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • host
    • linecount
    • punct
    • source
    • sourcetype
    • timestamp
• Modifier reference
  • Modifiers
    • Modifier syntax
    • Modifier precedence
  • Search modifiers
    • eventtypetag
    • hosttag
    • savedsearch
    • tag
  • Time modifiers
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hoursago
    • minutesago
    • monthsago
    • searchtimespandays
    • searchtimespanhours
    • searchtimespanminutes
    • searchtimespanmonths
    • startdaysago
    • starthoursago
    • startminutesago
    • startmonthsago
    • starttime
    • starttimeeu
    • timeformat
• Search command reference
  • Search commands
    • Commands that support multi-value fields
    • Conventions used in the search reference
    • Command index
  • Data-generating commands
    • file
    • savedsearch
    • search
  • Filter and re-order
    • dedup
    • head
    • localize
    • regex
    • reverse
    • set
    • sort
    • tail
    • where
  • Transforming and reporting commands
    • associate
    • chart
    • cluster
    • contingency
    • correlate
    • diff
    • format
    • highlight
    • rare
    • stats
    • strcat
    • timechart
    • top
    • transaction
    • typelearner
    • xmlunescape
  • Evaluate
    • abstract
    • addtotals
    • anomalousvalue
    • bucket
    • convert
    • eval
    • fields
    • fillnull
    • kmeans
    • outlier
    • rename
    • replace
  • Extracting commands
    • extract
    • iplocation
    • multikv
    • rex
    • typer
    • xmlkv
  • Administrative commands
    • admin
    • audit
    • run
• CLI command reference
  • Splunk Command Line Interface (CLI)
    • CLI commands
    • auth and uri parameters
    • Note for Mac users

Splunk Command Line Interface (CLI)

The Splunk Command Line Interface is commonly referred to as the "CLI". The table below lists the commands that you can use while in the CLI.

Use Splunk's CLI help command to get up-to-date descriptions of CLI commands and parameters. Access CLI help by typing ./splunk help while Splunk is running.

CLI commands

Syntax

Splunk CLI commands have the syntax:

./splunk command object [-parameter value]...

Here is a list of commands you can use in the CLI:

Command	Operation	Example
add	Add data inputs, user accounts, or saved searches	./splunk add tail var/log
anonymize	Anonymize data samples.	./splunk anonymize file -source '/home/myname/logs/*.log'
clean	Erase (clean) different types of user-generated data off of the server.	./splunk clean globaldata
dispatch	Run a long-running search or report.	./splunk dispatch "source=*hot* | stats count" -maxtime 3
display	Display bundles, or distributed features.	./splunk display local-index
disable	Disable bundles and distributed search features.	./splunk disable listen
edit	Edit data inputs, user accounts, saved searches, and bundles.	./splunk edit saved-search apache_errors -terms "404 OR 403"
enable	Enable bundles and distributed search features.	./splunk enable listen 9997
export	Export data from the server to a specified directory.	./splunk export globaldata -auth gwb:d3cidr
find	Find logs for Splunk to index.	./splunk find logs "../etc;../var"
help	Display the default help page for CLI help.	./splunk help
import	Import data from a specified directory to the server.	./splunk import userdata -dir /tmp/export.dat -subset eventtypetags,hosttags
install	Install bundles to the Splunk server.	./splunk install bundle /root/downloads/apache.bundle
list	List status of various server configuration attributes.	./splunk list tail
login, logout	Authenticate a session to a Splunk server with an Enterprise license (login). Or, end an authenticated session (logout).
recover	Recover files in the event of a crash.	./splunk recover
refresh	Update a deployment server with current deployment client server information.	./splunk refresh deploy-client
reload	Reload deployment clients with current deployment server data.	./splunk reload deploy-server -class wwwclass
remove	Remove data inputs, user accounts, saved searches, and bundles.	./splunk remove bundle myBundle
resurrect	Make data available that has previously been archived.	./splunk resurrect /tmp/myarchive test 01/01/2000:00:00:00 01/01/2001:00:00:00
search	Execute a search. See the search reference in the user guide for details on how to execute a search.	./splunk search "404 | top source"
set	Set current properties of various server attributes.	./splunk set deploy-poll 10.1.1.5:8089
show	Show server attributes.	./splunk show license
spool	Read a file or directory only one time. Or to read archived files.	./splunk spool /tmp/logs.tgz
start,stop,restart	Start, stop, or restart your Splunk server.	./splunk start
status	Show the status of Splunk's processes.	./splunk status splunkd
test,train	Improve Splunk's handling of dates, source types, and fields.	./splunk train dates onoes.txt
unresurrect	Delete directories that have been resurrected.	./splunk unresurrect foobar 07/01/2004:00:00:00 08/01/2004:00:00:00
upgrade	Upgrade bundles.	./splunk upgrade bundle leprechaun.bundle
validate	Check the correctness of a Splunk index.	./splunk validate index main
version	Display Splunk's version and build number.	./splunk version

auth and uri parameters

Use the auth and uri parameters with any CLI command.

auth

Use auth with commands that require authentication to execute. auth is useful if you need to run a command
that requires different permissions to execute than the currently logged in user has.

Note: auth must be the last parameter specified in a CLI command argument.

Syntax:

./splunk command object [-parameter value]... -auth username:password 

uri

Use uri to send commands to another Splunk server.

Syntax:

./splunk command object [-parameter value]... -uri specified-server (=  [http|https]://name_of_server:port)

Note for Mac users

Mac OS X requires you to have superuser level access to run any command that accesses system files or directories. Run CLI commands using sudo or "su -" for a new shell as root. The recommended method is to use sudo. (By default the user "root" is not enabled but any administrator user can use sudo.)

Enable Splunk to start on system start-up

Enable Splunk to start at system start-up by executing the command: ./splunk enable boot-start.

Splunk automatically creates a script and configuration file in the directory: /System/Library/StartupItems. This script is run at system start, and automatically stops Splunk at system shutdown.

Note: If you are using a Mac OS, you must have root level permissions (or use sudo).

Note: You need administrator access to use sudo..

Example:
Enable Splunk to start at system start up on Mac OS.

• Use the CLI to run:

./splunk enable boot-start

• Use the CLI with sudo:

sudo ./splunk enable boot-start