Documentation:
3.3
This page last updated: 08/05/08 06:08pm
Search commands
Use search commands to generate data (usually search results) from an index or process search results that Splunk generates from an index. Produce specific sets of search results by combining search commands in a search. Or produce detailed reports using reporting commands.
Select search commands from the list below to learn how to use them.
See the search pipeline syntax page for a description of the search command pipeline in modified BNF (Backus - Naur Form).
| Generate data | crawl, file, savedsearch, search |
| Filter and re-order | dedup, head, localize, regex, reverse, set, sort, tail, where |
| Transform and report | associate, chart, cluster, contingency, collect, correlate, diff, eventstats, format, highlight, makemv, mvcombine, mvexpand, nomv, overlap, rare, stats, strcat, timechart, top, transaction, typelearner, xmlunescape |
| Evaluate | abstract, addtotals, anomalousvalue, bucket, convert, eval, fields, fillnull, kmeans, outlier, rename, replace |
| Extract | addinfo, extract(kv), iplocation, multikv, rex, typer, xmlkv |
| Administrative actions | admin, audit, run |
Use data-generating commands to get data out of a Splunk index.
Filtering & Re-ordering commands don't change data within results. These commands allow you to filter a result set, and re-order how results appear.
Transforming & Reporting commands allow you to summarize large result sets, and create useful reports and statistics.
Evaluating commands evaluate each result, and change the fields or values of fields within each result.
Extracting commands add fields to results based on raw event data.
Administrative commands allow you to perform administrative functions.
Commands that support multi-value fieldsSome commands can process multi-value fields. Multi-value fields allow Splunk to recognize multiple values in a single field value string. Splunk parses multiple values from a field using regular expression delimiters you define in fields.conf (Learn how to configure multi-value fields).
The following commands support multi-value fields:
Conventions used in the search reference Syntax conventionscommand argument ... [argument] ...
- Commands are in bold.
- Any bolded (and not italicized) character in the command syntax is a required term for the expression.
- Required arguments are italicized (and can be bold).
- Optional arguments are in [brackets].
- " ... " means that many arguments can be inserted.
- Arguments are defined in a table.
| argument= | syntax and value(default value) | Description, and usage. |
- Default values are shown in parentheses ( ).
- Arguments that have a table of options associated with them are italicized and in bold (argument).
- " | " is used as a logical OR.
- T | F = True OR False.
Command examples that are applicable to Splunk Web are shown in a mock-up of a search bar.
foo | top fooField
Command examples that are applicable to the Splunk command line (CLI) are shown in indented fixed-width font.
./splunk search "foo | top fooField"
abstract
addinfo
addtotals
admin
anomalousvalue
associate
audit
bucket
chart
cluster
collect
contingency
convert
correlate
crawl
dedup
diff
eval
eventstats
extract/kv
fields
file
fillnull
format
head
highlight
iplocation
kmeans
localize
makemv
multikv
mvcombine
mvexpand
nomv
outlier
overlap
rare
regex
rename
replace
reverse
rex
run
savedsearch
search
set
sort
stats
strcat
tail
timechart
top
transaction
typelearner
where
xmlkv
xmlunescape
Comments
No comments have been submitted.