Documentation:
3.2
This page last updated: 07/01/08 09:07am
Search commands
Use search commands to generate search results from an index or process search results that get generated. Combine search commands in a search to produce specific sets of search results. Or produce detailed reports based on search results (using the "|" ("pipe") to separate commands).
Select search commands from the list below to learn how to use them.
See the search pipeline syntax page for a description of the search command pipeline in modified BNF (Backus - Naur Form).
| Data-generating | file, savedsearch, search |
| Filtering & Re-ordering | dedup, head, localize, regex, reverse, set, sort, tail, where |
| Transforming & Reporting | associate, chart, cluster, contingency, correlate, diff, format, highlight, rare, stats, strcat, timechart, top, transaction, typelearner, xmlunescape |
| Evaluating | abstract, addtotals, anomalousvalue, bucket, convert, eval, fields, fillnull, kmeans, outlier, rename, replace |
| Extracting | extract(kv), iplocation, multikv, rex, typer, xmlkv |
| Administrative | admin, audit, run |
Use data-generating commands to get data out of a Splunk index.
Filtering & Re-ordering commands don't change data within results. These commands allow you to filter a result set, and re-order how results appear.
Transforming & Reporting commands allow you to summarize large result sets.
Evaluating commands evaluate each result, and change the fields or values of fields within each result.
Extracting commands add fields to results based on raw event data.
Administrative commands allow you to perform administrative functions.
Commands that support multi-value fieldsSome commands can process multi-value fields. Multi-value fields allow Splunk to recognize multiple values in a single field value string. Splunk parses multiple values from a field using regular expression delimiters you define in fields.conf (Learn how to configure multi-value fields).
The following commands support multi-value fields:
Conventions used in the search reference Syntax conventionscommand argument ... [argument] ...
- Commands are in bold.
- Any bolded (and not italicized) character in the command syntax is a required term for the expression.
- Required arguments are italicized (and can be bold).
- Optional arguments are in [brackets].
- " ... " means that many arguments can be inserted.
- Arguments are defined in a table.
| argument= | syntax and value(default value) | Description, and usage. |
- Default values are shown in parentheses ( ).
- Arguments that have a table of options associated with them are italicized and in bold (argument).
- " | " is used as a logical OR.
- T | F = True OR False.
Command examples that are applicable to Splunk Web are shown in a mock-up of a search bar.
foo | top fooField
Command examples that are applicable to the Splunk command line (CLI) are shown in indented fixed-width font.
./splunk search "foo | top fooField"
abstract
addtotals
admin
anomalousvalue
associate
audit
bucket
chart
cluster
contingency
convert
correlate
dedup
diff
eval
extract/kv
fields
file
fillnull
format
head
highlight
iplocation
kmeans
localize
multikv
outlier
rare
regex
rename
replace
reverse
rex
run
savedsearch
search
set
sort
stats
strcat
tail
timechart
top
transaction
typelearner
where
xmlkv
xmlunescape
Comments
No comments have been submitted.