List of Splunk Commands

Splunk Commands

The table below lists all of the search commands in alphabetical order. There is a short description of the command and links to related commands.

Desired to gain proficiency on Splunk? Explore the blog post on Splunk Training and Placement to become a pro in Splunk.

Command	Description	Related commands
abstract	Produces a summary of each search result.	highlight
accum	Keeps a running total of the specified numeric field.	autoregress, delta, trendline, streamstats
addcoltotals	Computes an event that contains sum of all numeric fields for previous events.	addtotals, stats
addinfo	Add fields that contain common information about the current search.	search
addtotals	Computes the sum of all numeric fields for each result.	addcoltotals, stats
analyzefields	Analyze numerical fields for their ability to predict another discrete field.	anomalousvalue
anomalies	Computes an "unexpectedness" score for an event.	anomalousvalue, cluster, kmeans, outlier
anomalousvalue	Finds and summarizes irregular, or uncommon, search results.	analyzefields, anomalies, cluster, kmeans, outlier
append	Appends subsearch results to current results.	appendcols, appendcsv, appendlookup, join, set
appendcols	Appends the fields of the subsearch results to current results, first results to first result, second to second, etc.	append, appendcsv, join, set
appendpipe	Appends the result of the subpipeline applied to the current result set to results.	append, appendcols, join, set
arules	Finds association rules between field values.	associate, correlate
associate	Identifies correlations between fields.	correlate, contingency
audit	Returns audit trail information that is stored in the local audit index.
autoregress	Sets up data for calculating the moving average.	accum, autoregress, delta, trendline, streamstats
bin (bucket)	Puts continuous numerical values into discrete sets.	chart, timechart
bucketdir	Replaces a field value with higher-level grouping, such as replacing filenames with directories.	cluster, dedup
chart	Returns results in a tabular output for charting. See also, Statistical and charting functions.	bin,sichart, timechart
cluster	Clusters similar events together.	anomalies, anomalousvalue, cluster, kmeans, outlier
cofilter	Finds how many times field1 and field2 values occurred together.	associate, correlate
collect	Puts search results into a summary index.	overlap
concurrency	Uses a duration field to find the number of "concurrent" events for each event.	timechart
contingency	Builds a contingency table for two fields.	associate, correlate
convert	Converts field values into numerical values.	eval
correlate	Calculates the correlation between different fields.	associate, contingency
crawl	Crawls the filesystem for new sources to index.
datamodel	Examine data model or data model object and search a data model object.	pivot
dbinspect	Returns information about the specified index.
dedup	Removes subsequent results that match a specified criteria.	uniq
delete	Delete specific events or search results.
delta	Computes the difference in field value between nearby results.	accum, autoregress, trendline, streamstats
diff	Returns the difference between two search results.
erex	Allows you to specify example or counter example values to automatically extract fields that have similar values.	extract, kvform, multikv, regex, rex, xmlkv
eval	Calculates an expression and puts the value into a field. See also, Evaluation functions.	where
eventcount	Returns the number of events in an index.	dbinspect
eventstats	Adds summary statistics to all search results.	stats
extract (kv)	Extracts field-value pairs from search results.	kvform, multikv, xmlkv, rex
fieldformat	Expresses how to render a field at output time without changing the underlying value.	eval, where
fields	Removes fields from search results.
fieldsummary	Generates summary information for all or a subset of the fields.	analyzefields, anomalies, anomalousvalue, stats
filldown	Replaces NULL values with the last non-NULL value.	fillnull
fillnull	Replaces null values with a specified value.
findtypes	Generates a list of suggested event types.	typer
folderize	Creates a higher-level grouping, such as replacing filenames with directories.
foreach	Run a templatized streaming subsearch for each field in a wildcarded field list.	eval
format	Takes the results of a subsearch and formats them into a single result.
gauge	Transforms results into a format suitable for display by the Gauge chart types.
gentimes	Generates time-range results.
geostats	Generate statistics which are clustered into geographical bins to be rendered on a world map.	stats, xyseries
head	Returns the first number n of specified results.	reverse, tail
highlight	Highlights the specified terms.	iconify
history	Returns a history of searches formatted as an events list or as a table.	search
input	Adds sources to Splunk or disables sources from being processed by Splunk.
inputcsv	Loads search results from the specified CSV file.	loadjob, outputcsv
inputlookup	Loads search results from a specified static lookup table.	inputcsv, join, lookup, outputlookup
iplocation	Extracts location information from IP addresses.
join	Combine the results of a subsearch with the results of a main search.	appendcols, lookup, selfjoin
kmeans	Performs k-means clustering on selected fields.	anomalies, anomalousvalue, cluster, outlier
kvform	Extracts values from search results, using a form template.	extract, kvform, multikv, xmlkv, rex
loadjob	Loads events or results of a previously completed search job.	inputcsv
localize	Returns a list of the time ranges in which the search results were found.	map, transaction
localop	Tells Splunk to run subsequent commands, that is all commands following this, locally and not on a remote peer(s).
lookup	Explicitly invokes field value lookups.
makecontinuous	Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart)	chart, timechart
makemv	Change a specified field into a multivalued field during a search.	mvcombine, mvexpand, nomv
map	A looping operator, performs a search over each search result.
metadata	Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer.	dbinspect
metasearch	Retrieves event metadata from indexes based on terms in the logical expression.	metadata, search
multikv	Extracts field-values from table-formatted events.
multisearch	Run multiple streaming searches at the same time.	append, join
mvcombine	Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field.	mvexpand, makemv, nomv
mvexpand	Expands the values of a multivalue field into separate events for each value of the multivalue field.	mvcombine, makemv, nomv
nomv	Changes a specified multivalued field into a single-value field at search time.	makemv, mvcombine, mvexpand
outlier	Removes outlying numerical values.	anomalies, anomalousvalue, cluster, kmeans
outputcsv	Outputs search results to a specified CSV file.	inputcsv, outputtext
outputlookup	Writes search results to the specified static lookup table.	inputlookup, lookup, outputcsv,outputlookup
outputtext	Outputs the raw text field (_raw) of results into the _xml field.	outputtext
overlap	Finds events in a summary index that overlap in time or have missed events.	collect
pivot	Run pivot searches against a particular data model object.	datamodel
predict	Enables you to use time series algorithms to predict future values of fields.	x11
rangemap	Sets RANGE field to the name of the ranges that match.
rare	Displays the least common values of a field.	sirare, stats, top
regex	Removes results that do not match the specified regular expression.	rex, search
relevancy	Calculates how well the event matches the query.
reltime	Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field, 'reltime', in your search results.	convert
rename	Renames a specified field; wildcards can be used to specify multiple fields.
replace	Replaces values of specified fields with a specified new value.
rest	Access a REST endpoint and display the returned entities as search results.
return	Specify the values to return from a subsearch.	format, search
reverse	Reverses the order of the results.	head, sort, tail
rex	Specify a Perl regular expression named groups to extract fields while you search.	extract, kvform, multikv, xmlkv, regex
rtorder	Buffers events from real-time search to emit them in ascending time order when possible.
savedsearch	Returns the search results of a saved search.
script, run	Runs an external Perl or Python script as part of your search.
scrub	Anonymizes the search results.
search	Searches Splunk Enterprise indexes for matching events.
searchtxn	Finds transaction events within specified search constraints.	transaction
selfjoin	Joins results with itself.	join
sendemail	Emails search results to a specified email address.
set	Performs set operations (union, diff, intersect) on subsearches.	append, appendcols, join, diff
setfields	Sets the field values for all results to a common value.	eval, fillnull, rename
sichart	Summary indexing version of chart.	chart, sitimechart, timechart
sirare	Summary indexing version of rare.	rare
sistats	Summary indexing version of stats.	stats
sitimechart	Summary indexing version of timechart.	chart, sichart, timechart
sitop	Summary indexing version of top.	top
sort	Sorts search results by the specified fields.	reverse
spath	Provides a straightforward means for extracting fields from structured data formats, XML and JSON.	xpath
stats	Provides statistics, grouped optionally by fields. See also, Statistical and charting functions.	eventstats, top, rare
strcat	Concatenates string values.
streamstats	Adds summary statistics to all search results in a streaming manner.	eventstats, stats
table	Creates a table using the specified fields.	fields
tags	Annotates specified fields in your search results with tags.	eval
tail	Returns the last number n of specified results.	head, reverse
timechart	Create a time series chart and corresponding table of statistics. See also, Statistical and charting functions.	chart, bucket
top	Displays the most common values of a field.	rare, stats
transaction	Groups search results into transactions.
transpose	Reformats rows of search results as columns.
trendline	Computes moving averages of fields.	timechart
tscollect	Writes results into tsidx file(s) for later use bytstats command.	collect, stats, tstats
tstats	Calculates statistics over tsidx files created with the tscollect command.	stats, tscollect
typeahead	Returns typeahead information on a specified prefix.
typelearner	Generates suggested eventtypes.	typer
typer	Calculates the eventtypes for the search results.	typelearner
uniq	Removes any search that is an exact duplicate with a previous result.	dedup
untable	Converts results from a tabular format to a format similar to stats output. Inverse ofxyseries and maketable.
where	Performs arbitrary filtering on your data. See also, Evaluations functions.	eval
x11	Enables you to determine the trend in your data by removing the seasonal pattern.	predict
xmlkv	Extracts XML key-value pairs.	extract, kvform, multikv, rex
xmlunescape	Unescapes XML.
xpath	Redefines the XML path.
xyseries	Converts results into a format suitable for graphing.

For an Indepth knowledge on Splunk, click on below

• Splunk Tutorials
• Splunk Extract Fields
• Splunk Timechart
• Splunk Forwarder
• Splunk lookup
• Splunk Interview Questions