The table below lists all of the search commands in alphabetical order. There is a short description of the command and links to related commands.
Desired to gain proficiency on Splunk? Explore the blog post on Splunk Training to become a pro in Splunk.
| Command | Description | Related commands |
|---|---|---|
abstract |
Produces a summary of each search result. | highlight |
accum |
Keeps a running total of the specified numeric field. | autoregress, delta, trendline, streamstats |
addcoltotals |
Computes an event that contains sum of all numeric fields for previous events. | addtotals, stats |
addinfo |
Add fields that contain common information about the current search. | search |
addtotals |
Computes the sum of all numeric fields for each result. | addcoltotals, stats |
analyzefields |
Analyze numerical fields for their ability to predict another discrete field. | anomalousvalue |
anomalies |
Computes an "unexpectedness" score for an event. | anomalousvalue, cluster, kmeans, outlier |
anomalousvalue |
Finds and summarizes irregular, or uncommon, search results. | analyzefields, anomalies, cluster, kmeans, outlier |
append |
Appends subsearch results to current results. | appendcols, appendcsv, appendlookup, join, set |
appendcols |
Appends the fields of the subsearch results to current results, first results to first result, second to second, etc. | append, appendcsv, join, set |
appendpipe |
Appends the result of the subpipeline applied to the current result set to results. | append, appendcols, join, set |
arules |
Finds association rules between field values. | associate, correlate |
associate |
Identifies correlations between fields. | correlate, contingency |
audit |
Returns audit trail information that is stored in the local audit index. | |
autoregress |
Sets up data for calculating the moving average. | accum, autoregress, delta, trendline, streamstats |
bin (bucket) |
Puts continuous numerical values into discrete sets. | chart, timechart |
bucketdir |
Replaces a field value with higher-level grouping, such as replacing filenames with directories. | cluster, dedup |
chart |
Returns results in a tabular output for charting. See also, Statistical and charting functions. | bin,sichart, timechart |
cluster |
Clusters similar events together. | anomalies, anomalousvalue, cluster, kmeans, outlier |
cofilter |
Finds how many times field1 and field2 values occurred together. | associate, correlate |
collect |
Puts search results into a summary index. | overlap |
concurrency |
Uses a duration field to find the number of "concurrent" events for each event. | timechart |
contingency |
Builds a contingency table for two fields. | associate, correlate |
convert |
Converts field values into numerical values. | eval |
correlate |
Calculates the correlation between different fields. | associate, contingency |
crawl |
Crawls the filesystem for new sources to index. | |
datamodel |
Examine data model or data model object and search a data model object. | pivot |
dbinspect |
Returns information about the specified index. | |
dedup |
Removes subsequent results that match a specified criteria. | uniq |
delete |
Delete specific events or search results. | |
delta |
Computes the difference in field value between nearby results. | accum, autoregress, trendline, streamstats |
diff |
Returns the difference between two search results. | |
erex |
Allows you to specify example or counter example values to automatically extract fields that have similar values. | extract, kvform, multikv, regex, rex, xmlkv |
eval |
Calculates an expression and puts the value into a field. See also, Evaluation functions. | where |
eventcount |
Returns the number of events in an index. | dbinspect |
eventstats |
Adds summary statistics to all search results. | stats |
extract (kv) |
Extracts field-value pairs from search results. | kvform, multikv, xmlkv, rex |
fieldformat |
Expresses how to render a field at output time without changing the underlying value. | eval, where |
fields |
Removes fields from search results. | |
fieldsummary |
Generates summary information for all or a subset of the fields. | analyzefields, anomalies, anomalousvalue, stats |
filldown |
Replaces NULL values with the last non-NULL value. | fillnull |
fillnull |
Replaces null values with a specified value. | |
findtypes |
Generates a list of suggested event types. | typer |
folderize |
Creates a higher-level grouping, such as replacing filenames with directories. | |
foreach |
Run a templatized streaming subsearch for each field in a wildcarded field list. | eval |
format |
Takes the results of a subsearch and formats them into a single result. | |
gauge |
Transforms results into a format suitable for display by the Gauge chart types. | |
gentimes |
Generates time-range results. | |
geostats |
Generate statistics which are clustered into geographical bins to be rendered on a world map. | stats, xyseries |
head |
Returns the first number n of specified results. | reverse, tail |
highlight |
Highlights the specified terms. | iconify |
history |
Returns a history of searches formatted as an events list or as a table. | search |
input |
Adds sources to Splunk or disables sources from being processed by Splunk. | |
inputcsv |
Loads search results from the specified CSV file. | loadjob, outputcsv |
inputlookup |
Loads search results from a specified static lookup table. | inputcsv, join, lookup, outputlookup |
iplocation |
Extracts location information from IP addresses. | |
join |
Combine the results of a subsearch with the results of a main search. | appendcols, lookup, selfjoin |
kmeans |
Performs k-means clustering on selected fields. | anomalies, anomalousvalue, cluster, outlier |
kvform |
Extracts values from search results, using a form template. | extract, kvform, multikv, xmlkv, rex |
loadjob |
Loads events or results of a previously completed search job. | inputcsv |
localize |
Returns a list of the time ranges in which the search results were found. | map, transaction |
localop |
Tells Splunk to run subsequent commands, that is all commands following this, locally and not on a remote peer(s). | |
lookup |
Explicitly invokes field value lookups. | |
makecontinuous |
Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart) | chart, timechart |
makemv |
Change a specified field into a multivalued field during a search. | mvcombine, mvexpand, nomv |
map |
A looping operator, performs a search over each search result. | |
metadata |
Returns a list of source, sourcetypes, or hosts from a specified index or distributed search peer. | dbinspect |
metasearch |
Retrieves event metadata from indexes based on terms in the logical expression. | metadata, search |
multikv |
Extracts field-values from table-formatted events. | |
multisearch |
Run multiple streaming searches at the same time. | append, join |
mvcombine |
Combines events in search results that have a single differing field value into one result with a multivalue field of the differing field. | mvexpand, makemv, nomv |
mvexpand |
Expands the values of a multivalue field into separate events for each value of the multivalue field. | mvcombine, makemv, nomv |
nomv |
Changes a specified multivalued field into a single-value field at search time. | makemv, mvcombine, mvexpand |
outlier |
Removes outlying numerical values. | anomalies, anomalousvalue, cluster, kmeans |
outputcsv |
Outputs search results to a specified CSV file. | inputcsv, outputtext |
outputlookup |
Writes search results to the specified static lookup table. | inputlookup, lookup, outputcsv,outputlookup |
outputtext |
Outputs the raw text field (_raw) of results into the _xml field. |
outputtext |
overlap |
Finds events in a summary index that overlap in time or have missed events. | collect |
pivot |
Run pivot searches against a particular data model object. | datamodel |
predict |
Enables you to use time series algorithms to predict future values of fields. | x11 |
rangemap |
Sets RANGE field to the name of the ranges that match. | |
rare |
Displays the least common values of a field. | sirare, stats, top |
regex |
Removes results that do not match the specified regular expression. | rex, search |
relevancy |
Calculates how well the event matches the query. | |
reltime |
Converts the difference between 'now' and '_time' to a human-readable value and adds adds this value to the field, 'reltime', in your search results. | convert |
rename |
Renames a specified field; wildcards can be used to specify multiple fields. | |
replace |
Replaces values of specified fields with a specified new value. | |
rest |
Access a REST endpoint and display the returned entities as search results. | |
return |
Specify the values to return from a subsearch. | format, search |
reverse |
Reverses the order of the results. | head, sort, tail |
rex |
Specify a Perl regular expression named groups to extract fields while you search. | extract, kvform, multikv, xmlkv, regex |
rtorder |
Buffers events from real-time search to emit them in ascending time order when possible. | |
savedsearch |
Returns the search results of a saved search. | |
script, run |
Runs an external Perl or Python script as part of your search. | |
scrub |
Anonymizes the search results. | |
search |
Searches Splunk Enterprise indexes for matching events. | |
searchtxn |
Finds transaction events within specified search constraints. | transaction |
selfjoin |
Joins results with itself. | join |
sendemail |
Emails search results to a specified email address. | |
set |
Performs set operations (union, diff, intersect) on subsearches. | append, appendcols, join, diff |
setfields |
Sets the field values for all results to a common value. | eval, fillnull, rename |
sichart |
Summary indexing version of chart. | chart, sitimechart, timechart |
sirare |
Summary indexing version of rare. | rare |
sistats |
Summary indexing version of stats. | stats |
sitimechart |
Summary indexing version of timechart. | chart, sichart, timechart |
sitop |
Summary indexing version of top. | top |
sort |
Sorts search results by the specified fields. | reverse |
spath |
Provides a straightforward means for extracting fields from structured data formats, XML and JSON. | xpath |
stats |
Provides statistics, grouped optionally by fields. See also, Statistical and charting functions. | eventstats, top, rare |
strcat |
Concatenates string values. | |
streamstats |
Adds summary statistics to all search results in a streaming manner. | eventstats, stats |
table |
Creates a table using the specified fields. | fields |
tags |
Annotates specified fields in your search results with tags. | eval |
tail |
Returns the last number n of specified results. | head, reverse |
timechart |
Create a time series chart and corresponding table of statistics. See also, Statistical and charting functions. | chart, bucket |
top |
Displays the most common values of a field. | rare, stats |
transaction |
Groups search results into transactions. | |
transpose |
Reformats rows of search results as columns. | |
trendline |
Computes moving averages of fields. | timechart |
tscollect |
Writes results into tsidx file(s) for later use bytstats command. | collect, stats, tstats |
tstats |
Calculates statistics over tsidx files created with the tscollect command. | stats, tscollect |
typeahead |
Returns typeahead information on a specified prefix. | |
typelearner |
Generates suggested eventtypes. | typer |
typer |
Calculates the eventtypes for the search results. | typelearner |
uniq |
Removes any search that is an exact duplicate with a previous result. | dedup |
untable |
Converts results from a tabular format to a format similar to stats output. Inverse ofxyseries and maketable. |
|
where |
Performs arbitrary filtering on your data. See also, Evaluations functions. | eval |
x11 |
Enables you to determine the trend in your data by removing the seasonal pattern. | predict |
xmlkv |
Extracts XML key-value pairs. | extract, kvform, multikv, rex |
xmlunescape |
Unescapes XML. | |
xpath |
Redefines the XML path. | |
xyseries |
Converts results into a format suitable for graphing. |
For an Indepth knowledge on Splunk, click on below
You liked the article?
Like: 0
Vote for difficulty
Current difficulty (Avg): Medium
TekSlate is the best online training provider in delivering world-class IT skills to individuals and corporates from all parts of the globe. We are proven experts in accumulating every need of an IT skills upgrade aspirant and have delivered excellent services. We aim to bring you all the essentials to learn and master new technologies in the market with our articles, blogs, and videos. Build your career success with us, enhancing most in-demand skills in the market.
