-
| ]]]>
-
| ]]]>
-
]]]>
-
]]]>
-
]]]>
-
| ]]]>
-
| ]]]>
-
]]]>
-
| ]]]>
-
]]]>
-
-
-
-
-
-
-
-
-
-
| ]]]>
-
-
<![CDATA[Generate a new splunk.secret (encryption key), and re-encrypt all configuration with the new key.]]>
edit
-
<![CDATA[set Splunk to run when the operating system boots]]>
<![CDATA[set Splunk to not run when the operating system boots]]>
-
<![CDATA[show the details of a specified conf file. (NOTE: this command will only work if the file exists in the location specified by $SPLUNK_HOME/etc/system/default/conf.conf)]]>
list
-
<![CDATA[show the port that Splunk Web listens on]]>
list
<![CDATA[set the port that Splunk Web listens on]]>
edit
server-settings
-
<![CDATA[show the port that the Splunk daemon (splunkd) listens on]]>
list
<![CDATA[new port that splunkd should listen on]]>
edit
server-settings
-
<![CDATA[displays the port that the KV Store uses]]>
list
<![CDATA[sets the port that the KV Store uses]]>
edit
server-settings
-
<![CDATA[show the ports that the Splunk application server listens on]]>
list
<![CDATA[new port that Splunk application server should listen on]]>
edit
server-settings
-
<![CDATA[displays the port that the DFS uses]]>
list
<![CDATA[sets the port that the DFS uses]]>
edit
server-settings
-
<![CDATA[show the default host name used for all data inputs]]>
list
<![CDATA[new host name to use]]>
edit
server-settings
-
<![CDATA[show the minimum free disk space threshold (if free space falls below this amount Splunk stops indexing data)]]>
list
<![CDATA[set the minimum free disk space threshold]]>
edit
server-settings
-
<![CDATA[show the guid of the box]]>
list
-
<![CDATA[show FIPS mode status]]>
list
-
<![CDATA[show the servername used in a distributed search]]>
list
<![CDATA[set the servername used in a distributed search]]>
edit
server-settings
-
<![CDATA[show which directory is used for Splunk's datastore]]>
list
<![CDATA[path to new datastore directory]]>
edit
server-settings
-
<![CDATA[Show current logging levels]]>
list
<![CDATA[Change the logging level of a Splunk component]]>
edit
-
<![CDATA[make Splunk Web's HTTP port use SSL encryption]]>
edit
server-settings
<![CDATA[make Splunk Web's HTTP port not to use SSL encryption]]>
edit
server-settings
-
<![CDATA[set whether the Splunk server should be started]]>
edit
server-settings
<![CDATA[set whether the Splunk server should be started]]>
edit
server-settings
-
<![CDATA[adds scripted inputs]]>
<![CDATA[edits scripted inputs]]>
{source}
<![CDATA[list scripted inputs]]>
<![CDATA[remove scripted inputs]]>
{source}
<![CDATA[reloads script input configuration, making immediately effective all
"add/edit/remove exec" commands since last reload or Splunk restart]]>
list
-
<![CDATA[reloads CRL information within Splunk by clearing internal state and
reloading CRL info from the directory $SPLUNK_HOME/etc/auth/crl]]>
list
-
<![CDATA[list all indexes on this server]]>
{name}
<![CDATA[adds index on this server]]>
<![CDATA[edits index on this server]]>
{name}
<![CDATA[enables writing to an index]]>
edit
{name}
<![CDATA[disables writing to an index]]>
edit
{name}
<![CDATA[removes an index]]>
{name}
<![CDATA[reloads index configuration, making immediately effective all
"add/edit/enable/disable index" commands since last reload or Splunk restart]]>
list
-
<![CDATA[Enable Workload-Management on a Splunk Instance]]>
edit
<![CDATA[Disable Workload-Management on a Splunk Instance]]>
edit
-
<![CDATA[get the base dir name for splunk workload pools]]>
list
<![CDATA[set the base dir name for splunk workload pools]]>
]]>
edit
<![CDATA[Preflight checks of workload management.]]>
list
-
<![CDATA[edits a workload-category]]>
[-parameter ] ...]]>
{category}
<![CDATA[list all workload-category]]>
-
<![CDATA[adds a workload-pool]]>
[-parameter ] ...]]>
<![CDATA[removes a workload-pool]]>
]]>
{pool_name}
<![CDATA[edits a workload-pool]]>
[-parameter ] ...]]>
{pool_name}
<![CDATA[list all workload-pool]]>
-
<![CDATA[adds a workload-rule]]>
[-parameter ] ...]]>
=. eg: role=admin, app=search AND (NOT index=_internal), runtime>10. Possible values of type are: app, role, user, index, runtime, search_type, search_mode, search_time_range]]>
20" -action abort -schedule "every_week" -start_time "10:00" -end_time "15:00" -every_week_days "0,4,6" -user_message "The search is aborted due to long runtime"]]>
<![CDATA[removes a workload-rule]]>
[-parameter ]]]>
{rule_name}
<![CDATA[edits a workload-rule]]>
[-parameter ] ...]]>
{rule_name}
<![CDATA[list all workload-rule]]>
]]]>
<![CDATA[enables a workload-rule]]>
]]>
-workload_rule_type search_filter]]>
edit
{rule_name}
<![CDATA[disables a workload-rule]]>
]]>
-workload_rule_type search_filter]]>
edit
{rule_name}
-
<![CDATA[View status of workload management.]]>
list
-
<![CDATA[list workload policy configurations]]>
list
-
<![CDATA[Edit property under search admission control]]>
] ...]]>
edit
-
{name}
<![CDATA[List available cascading replication plans]]>
list
-
<![CDATA[View status of cascading plan]]>
]]>
list
-
<![CDATA[View status of knowledge bundle replication]]>
list
-
<![CDATA[View configuration of knowledge bundle replication]]>
list
-
<![CDATA[View configuration of remote output queue]]>
list
-
<![CDATA[View status of remote output queue]]>
list
-
<![CDATA[View configuration of remote input queue]]>
list
-
<![CDATA[View status of remote input queue]]>
list
-
<![CDATA[show the health report status of the Splunk instance.]]>
]]]>
list
-
<![CDATA[List current Clustering configuration]]>
list
<![CDATA[edit current clustering configuration]]>
]]>
Caution: Passing login credentials on the CLI is a security risk.]]>
, -manual_detention on|off|on_ports_enabled]]>
-
<![CDATA[Adds another master to the list of instances a searchhead searches across]]>
create
<![CDATA[Edit a master currently in the list of instances a searchhead searches across]]>
{old_master_uri}
edit
<![CDATA[Remove a master from the list of instances a searchhead searches across]]>
{master_uri}
remove
<![CDATA[Display a list of instances this searchhead can search across]]>
list
-
<![CDATA[Make validated bundle active on peers. In order to check the status of the bundle at the peers, use 'show cluster-bundle-status' at the master.]]>
edit
<![CDATA[Validates the cluster bundle, and optionally checks whether applying the bundle will initiate a peer restart. To check the status of the bundle validation, run 'show cluster-bundle-status' on the master.]]>
edit
<![CDATA[Rolls back cluster bundle to previously active bundle. To check the status of the bundle at the peers, use 'show cluster-bundle-status at the master.]]>
edit
-
<![CDATA[Perform data rebalance operations on an indexer cluster. Run this command from the master node.]]>
edit
-
<![CDATA[Remove excess buckets in the cluster.]]>
edit
{name}
<![CDATA[List excess buckets in the cluster.]]>
list
-
<![CDATA[Sets the maintenance mode on peers in clustering. Must be invoked at the master. ]]>
edit
<![CDATA[Disables the maintaince mode on peers in clustering. Must be invoked at the master. ]]>
edit
<![CDATA[Displays if the maintaince mode is set on the master in clustering. Must be invoked at the master. ]]>
list
-
<![CDATA[View status of 'apply cluster-bundle' command.]]>
list
-
<![CDATA[View status of the cluster. Verbose mode adds health check for rolling upgrade among other things.
Health Check:
pre_flight_check_successful succeeds if all the checks below pass
replication_factor_met there must be rf copies of data in the cluster
search_factor_met there must be sf copies of data in the cluster
all_data_is_searchable all data must be searchable
all_peers_are_up all peers must be up
cm_version_is_compatible cm version must > than the peers and <= 4 minor versions away if on the same major version
no_fixup_tasks_in_progress there must be no fixups tasks in progress
splunk_version_peer_count lists the number of peers on each version in the cluster
More information in the online documentation for the corresponding REST endpoint: http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTcluster#cluster.2Fmaster.2Fhealth]]>
list
-
<![CDATA[List Cluster peers information]]>
list
<![CDATA[Initiate a phased restart of the nodes in an indexer cluster.]]>
edit
<![CDATA[Initiate the upgrade state in an indexer cluster.]]>
edit
<![CDATA[Finalize the upgrade state in an indexer cluster.]]>
edit
<![CDATA[Remove downed peers from the cluster master.]]>
] ...]]>
edit
-
<![CDATA[Remove downed search heads from the cluster master.]]>
[,...] [-parameter ] ...]]>
edit
-
<![CDATA[Set the force indexing ready bit.]]>
edit
-
<![CDATA[List Cluster Master information]]>
list
-
<![CDATA[List the Cluster Master generation]]>
list
-
<![CDATA[List Cluster buckets information]]>
list
-
<![CDATA[List Cluster Slave or Peer information]]>
list
-
<![CDATA[List Cluster Slave bucket information]]>
list
-
<![CDATA[ Bootstrap this node as the captain.]]>
edit
<![CDATA[ Transfer captaincy to a node from current captain.]]>
edit
-
edit
-
<![CDATA[ Recrypt the field with shcluster common encryption key.]]>
edit
-
<![CDATA[ Deploy the bundle to all the members in the search head cluster and restart them as needed.]]>
edit
<![CDATA[ list the status of app bundles in a search head cluster deployer.]]>
list
-
<![CDATA[Initializes shclustering on this node
after which the node waits for the first captain to be
bootstrapped. ]]>
edit
<![CDATA[Disables shclustering on this node. ]]>
edit
<![CDATA[List current SEARCH HEAD CLUSTER configuration]]>
list
<![CDATA[edit current shclustering configuration on a bootstrapped node.]]>
]]>
edit
-
<![CDATA[Sets the maintenance mode on members in shclustering. Must be invoked at the captain. ]]>
edit
<![CDATA[Disables the maintaince mode on peers in shclustering. Must be invoked at the master. ]]>
edit
<![CDATA[Displays if the maintaince mode is set on the master in shclustering. Must be invoked at the master. ]]>
list
-
<![CDATA[View status of the shcluster.]]>
list
-
<![CDATA[Add the specified node to a search head cluster. Search head clustering should already be enabled on that node. ]]>
edit
<![CDATA[Remove the specified member if run on the captain or, if run on a non-captain member, remove that member from the search head cluster.]]>
edit
-
<![CDATA[List SEARCH HEAD CLUSTER members information]]>
list
<![CDATA[Initiate a phased restart of the nodes in a search head cluster.]]>
edit
<![CDATA[Initiate the upgrade state in a search head cluster.]]>
edit
<![CDATA[Finalize the upgrade state in a search head cluster.]]>
edit
-
<![CDATA[Generate a new search head cluster common splunk.secret (encryption key), and re-encrypt all configuration with the new key. CAUTION: this command causes the members to be re-added the search head cluster, and might cause scheduled searches to be unavailable until the process completes.]]>
edit
-
<![CDATA[Set the force indexing ready bit.]]>
edit
-
<![CDATA[List SEARCH HEAD CLUSTER Captain information]]>
list
-
<![CDATA[List SEARCH HEAD CLUSTER artifacts information]]>
list
-
<![CDATA[List search head cluster scheduler job information]]>
list
-
<![CDATA[List SEARCH HEAD CLUSTER MEMBER or Peer information]]>
list
-
<![CDATA[List SEARCH HEAD CLUSTER NODE SET (All nodes part of the configuration) ]]>
list
-
<![CDATA[List SEARCH HEAD CLUSTER MEMBER artifact information]]>
list
-
<![CDATA[Destructively resyncs this node to the latest replicated config on the captain.]]>
edit
-
<![CDATA[View status of the KV Store cluster.]]>
list
-
<![CDATA[Resynchronize KVStore cluster.]]>
edit
<![CDATA[Backup KVStore data to an archive file.]]>
edit
<![CDATA[Restore KVStore data from an archive file.]]>
edit
<![CDATA[Show KVStore data from an archive file.]]>
list
<![CDATA[Start KV store migration]]>
edit
<![CDATA[Stop KV store migration]]>
edit
-
<![CDATA[Sets the maintenance mode on kvstore.]]>
edit
<![CDATA[Disables the maintenance mode on kvstore.]]>
edit
-
<![CDATA[View status of KV store migration]]>
list
-
<![CDATA[Lists the status of the different splunk inputs.]]>
] ...]]>
-
<![CDATA[adds monitor directory and file inputs]]>
] ...]]>
<![CDATA[list all active monitored directory and file inputs. Note: This displays files and directories currently or recently monitored by splunkd for change.]]>
] ...]]>
<![CDATA[edits monitored directory inputs]]>
{source}
<![CDATA[remove monitored directory inputs]]>
{source}
<![CDATA[reloads monitor configuration, making immediately effective all
"add/edit/remove monitor" commands since last reload or Splunk restart]]>
list
-
<![CDATA[enable the specified app]]>
edit
<![CDATA[disable the specified app]]>
edit
<![CDATA[remove specified app name]]>
{name}
<![CDATA[install specified app name]]>
create
<![CDATA[display status information (enabled/disabled, visible/invisible, configured/not configured) about a specific app or all apps]]>
{name}
list
-
<![CDATA[adds TCP (network) inputs]]>
] ...]]>
<![CDATA[edits TCP (network) inputs]]>
] ...]]>
{source}
<![CDATA[list all active TCP (network) inputs]]>
<![CDATA[remove TCP (network) inputs]]>
{source}
<![CDATA[reloads TCP input configuration, making immediately effective all
"add/edit/remove tcp" commands since last reload or Splunk restart]]>
list
-
<![CDATA[Objects used to specify UDP network inputs.]]>
<![CDATA[adds UDP (network) inputs]]>
<![CDATA[edits UDP (network) inputs]]>
] ...]]>
{source}
<![CDATA[list all active UDP (network) inputs]]>
<![CDATA[remove UDP (network) inputs]]>
{source}
<![CDATA[reloads UDP input configuration, making immediately effective all
"add/edit/remove udp" commands since last reload or Splunk restart]]>
list
-
<![CDATA[List current indexer discovery configuration]]>
]]>
list
<![CDATA[create a new indexer discovery configuration]]>
- ]]>
]]>
<![CDATA[edit current indexer discovery configuration]]>
- ]]>
]]>
{name}
<![CDATA[delete a existing indexer discovery configuration]]>
]]>
]]>
{name}
-
]...
list forward-server]]>
<![CDATA[adds servers to forward data to; to set up SSL, you must provide at minimum the following parameters: client-cert, ssl-password, and ssl-root-ca-path]]>
: where host and port are hostname or IP address of the indexing server and port that the indexer is listening on]]>
<![CDATA[remove servers to forward data to]]>
: where host and port are hostname or IP address of the indexing server and port that the indexer is listening on]]>
{hostport}
<![CDATA[list servers that this server forwards data to]]>
-
edit
<![CDATA[Enable deployment server at the instance.]]>
<![CDATA[Reload you deployment server, in entirety or by serverclass]]>
] [-timeout ]]]>
edit
<![CDATA[Disable deployment server at this instance]]>
<![CDATA[Display the status of deployment server at this instance]]>
-
edit
<![CDATA[Enable deployment client at the instance.]]>
edit
<![CDATA[Shows whether the deployment client is enabled or not]]>
-
edit
<![CDATA[Sets deployment server to poll updates from]]>
: where host and port are hostname or IP address of the deployment server to poll updates from.]]>
<![CDATA[Shows which deployment server it is configured to poll from]]>
-
edit
<![CDATA[Enables the search scheduler to run searches.]]>
edit
<![CDATA[Disables the search scheduler from running searches.]]>
-
list
<![CDATA[Displays the search scheduler status.]]>
-
<![CDATA[Indexes the contents of a file once.]]>
[-parameter ] ...]]>
`
-
<![CDATA[GET FILE IN MAH BELLY]]>
create
-
<![CDATA[close a port set to listen for Splunk forwarding protocol (splunktcp) data from Splunk forwarders]]>
| ]]]>
edit
<![CDATA[open a port to listen for Splunk forwarding protocol (splunktcp) data from Splunk forwarders]]>
| ]]]>
edit
<![CDATA[display the port to listen for Splunk forwarding protocol (splunktcp) from Splunk forwarders]]>
| ]]]>
<![CDATA[reloads TCP configuration, making immediately effective all
"enable|disable listen" commands since last reload or Splunk restart]]>
list
-
<![CDATA[adds a user]]>
[-parameter ] ...]]>
Caution: Passing login credentials on the CLI is a security risk.]]>
<![CDATA[removes a user]]>
]]>
<![CDATA[edits a user]]>
[-parameter ] ...]]>
<![CDATA[list all users known to Splunk]]>
-
<![CDATA[adds a role]]>
[-parameter ] ...]]>
<![CDATA[removes a role]]>
]]>
<![CDATA[edits a role]]>
[-parameter ]]]>
<![CDATA[list all roles known to Splunk]]>
-
<![CDATA[Display all Active Directory monitoring settings]]>
<![CDATA[Enable specified collection]]>
edit
{name}
<![CDATA[Disable specified collection]]>
edit
{name}
<![CDATA[reloads Windows AD input configuration, making immediately effective all
"enable/disable ad" commands since last reload or Splunk restart]]>
list
-
<![CDATA[Display Registry input settings]]>
<![CDATA[Enable specified collection]]>
edit
{name}
<![CDATA[Disable specified collection]]>
edit
{name}
<![CDATA[reloads registry input configuration, making immediately effective all
"add/edit/remove regmon" commands since last reload or Splunk restart]]>
list
-
<![CDATA[Display all WMI Collections]]>
<![CDATA[Enable specified collection]]>
edit
{name}
<![CDATA[Disable specified collection]]>
edit
{name}
<![CDATA[reloads Windows WMI input configuration, making immediately effective all
"enable/disable wmi" commands since last reload or Splunk restart]]>
list
-
<![CDATA[Display all EventLog Collections]]>
<![CDATA[Enable specified collection]]>
edit
{name}
<![CDATA[Disable specified collection]]>
edit
{name}
-
<![CDATA[Display the file tail]]>
<![CDATA[Enable specified file tail]]>
]]>
edit
{name}
<![CDATA[Disable specified file tail]]>
]]>
edit
{name}
-
<![CDATA[Windows network monitor inputs]]>
<![CDATA[Enable specified Windows network monitor input]]>
edit
{name}
<![CDATA[Disable specified Windows network monitor input]]>
edit
{name}
-
<![CDATA[Display all performance monitoring collections]]>
<![CDATA[Enable specified collection]]>
edit
{name}
<![CDATA[Disable specified collection]]>
edit
{name}
<![CDATA[reloads Win Perfmon input configuration, making immediately effective all
"enable/disable perfmon" commands since last reload or Splunk restart]]>
list
-
<![CDATA[Display all Host monitoring collections]]>
<![CDATA[Enable specified Windows Host collection]]>
edit
{name}
<![CDATA[Disable specified collection]]>
edit
{name}
-
<![CDATA[Display all Print monitoring collections]]>
<![CDATA[Enable specified collection]]>
edit
{name}
<![CDATA[Disable specified collection]]>
edit
{name}
-
]
edit saved-search [-parameter ]
list saved-search
remove saved-search
Required Parameters:
name (default) name of saved search to create
terms search terms to be associated with this saved search
Optional Parameters:
alert make the search an alert (true|false, default=false)
IF alert=true, "schedule" and "threshold" are required, and
"email", "attach" or "script" options are required.
end_time the latest time for the search
fields a list of key-value pairs to annotate the events inserted into
the summary index. format pairs as key:value and separate multiple
entries with a semicolon
summary_index the name of the summary index where to add the results of the
scheduled search
start_time the earliest time for the search
ttl time-to-live (in seconds) for the artifacts of the scheduled search
(IF optional parameter "alert" is set to true, then the following is REQUIRED)
schedule specify when the alert is run using full cron format
(IF optional parameter "alert" is set to true, then AT LEAST ONE of the following
is REQUIRED)
email comma-separated list of email addresses to send alerts to (true|false)
default=false
attach specify inclusion of search results in emails (true|false) default=false
script script to execute upon alert (ex: $SPLUNK_HOME/bin/myScript)
workload_pool specify the name of the workload-pool for the search to run in
threshold the threshold to trigger the alert action
[::]
= num-events,num-sources,num-hosts
= any integer
Complete documentation is available online at: http://docs.splunk.com/Documentation
]]>
-
-
<![CDATA[lists all licenses across all stacks]]>
<![CDATA[adds a license to the appropriate stack]]>
<![CDATA[removes a license from a stack]]>
-
<![CDATA[lists all the current stacks]]>
-
<![CDATA[lists pools across all stacks]]>
<![CDATA[adds a pool to a stack]]>
-description -quota -slaves -stack_id ]]>
<![CDATA[edits a pool within a stack]]>
-description -quota -slaves ]]>
<![CDATA[removes a pool within a stack]]>
]]>
-
<![CDATA[lists attributes of license slave]]>
-
<![CDATA[lists attributes of local license slave]]>
<![CDATA[edits attributes of local license slave node]]>
://:]]>
-
<![CDATA[lists attributes of available licenser groups]]>
<![CDATA[edits attributes of licenser groups]]>
-is_active 1]]>
{name}
-
<![CDATA[lists the alerts or warnings about your current licenser]]>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
| ]... [-uri][-auth]
app specify the app or namespace to run the command; for search, defaults to
the Search app
auth specify login credentials to execute commands that require you to be logged in
owner specify the owner/user context associated with an object; if not specified,
defaults to the currently logged in user
uri execute a command on any specified Splunk server. Use the
format: :
Note: Both IPv4 and IPv6 formats are supported for specifying an IP address, for example:
127.0.0.1:80 or "[2001:db8::1]:80". By default, splunkd listens on IPv4 only. To enable
IPv6 support, refer to the instructions in:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/ConfigureSplunkforIPv6 ]]>
-
]...
Supported commands and objects:
[command] [objects]
add [exec|forward-server|index|licenser-pools|licenses|master|monitor|oneshot|
saved-search|search-server|tcp|udp|user]
anonymize source
apply cluster-bundle
clean [all|eventdata|globaldata|inputdata|userdata|kvstore|raft]
cmd [btool|exporttool|importtool|locktest|locktool|parsetest|pcregextest|signtool|walklex]
create app
createssl NONE
diag NONE
disable [app|boot-start|deploy-client|deploy-server|
dist-search|index|kvstore-maintenance-mode|listen|local-index|maintenance-mode|shcluster-maintenance-mode|webserver|web-ssl]
display [app|boot-start|deploy-client|deploy-server|
dist-search|index|jobs|listen|local-index]
edit [app|cluster-config|shcluster-config|exec|index|licenser-localslave|licenses|
licenser-groups|master|monitor|saved-search|search-server|tcp|udp|user]
enable [app|boot-start|deploy-client|deploy-server|dist-search|
index|kvstore-maintenance-mode|listen|local-index|maintenance-mode|shcluster-maintenance-mode|webserver|web-ssl]
export [eventdata|userdata]
find logs
fsck [repair|scan|clear-bloomfilter]
help NONE
import userdata
install app
list [cluster-buckets|cluster-config|cluster-generation|cluster-peers|deploy-clients|excess-buckets|
shcluster-artifacts|shcluster-config|shcluster-members|
exec|forward-server|index|jobs|licenser-groups|licenser-localslave|licenser-messages|
licenser-pools|licenser-slaves|licenser-stacks|licenses|master|master-info|monitor|peer-buckets|peer-info|
saved-search|search-server|tcp|udp|user]
login,logout NONE
offline NONE
package app
rebalance cluster-data
rebuild NONE
refresh deploy-clients
reload [ad|auth|deploy-server|index|listen|monitor|registry|script|tcp|udp|perfmon|wmi]
remove [app|cluster-peers|excess-buckets|exec|forward-server|index|jobs|licenser-pools|licenses|master|monitor|
saved-search|search-server|tcp|udp|user]
rollback cluster-bundle
rolling-restart cluster-peers|shcluster-members
rotate splunk-secret|shcluster-splunk-secret
rtsearch [app|batch|detach|earliest_time|header|id|max_time|maxout|output|preview|timeout|
uri|wrap|workload_pool]
search [app|batch|detach|earliest_time|header|id|index_earliest|index_latest|latest_time|
max_time|maxout|output|preview|timeout|uri|wrap|workload_pool]
set [datastore-dir|deploy-poll|default-hostname|default-index|
minfreemb|servername|server-type|splunkd-port|web-port|kvstore-port]
show [config|datastore-dir|deploy-poll|default-hostname|default-index|
jobs|minfreemb|servername|splunkd-port|web-port|kvstore-port|
kvstore-status]
spool NONE
start,stop,restart [splunkd|splunkweb]
status [splunkd|splunkweb]
check-integrity NONE
generate-hash-files NONE
validate [index|files|cluster-bundle]
resync [kvstore|shcluster-replicated-config]
backup [kvstore]
restore [kvstore]
merge-buckets [--index-name]
]]>
-
]...
Syntax notation:
* Plain text: indicate required arguments
* [Text in brackets]: indicate optional arguments
* Parameters always have a "-" with no space
(Example: "-parameter" NOT "- parameter")
* ... indicates that you can add multiple arguments]]>
-
|] ...
edit index [-name |] ...
list index
export [eventdata|userdata]
import userdata
clean [all|eventdata|globaldata|userdata] [-f] [-index ]
clean inputdata [] [-f]
Parameters:
(For add and edit index)
name value name of the index
(For clean ONLY)
f forces skip of confirmation prompt
(For clean eventdata ONLY)
index name name of the index
]]>
-
] ...
enable [listen|dist-search|local-index|deploy-client|
deploy-server] [-parameter ] ...
display [listen|dist-search|local-index|deploy-server]
add [forward-server|search-server] server
remove [forward-server|search-server] server
list [deploy-clients|forward-server|search-server]
reload deploy-server
refresh deploy-clients
set [deploy-poll]
show [deploy-poll]
Parameters:
For a complete list of parameters, type "./splunk help [command|object]" to get a specific list.
]]>
-
] ...
disable local-index [-parameter ] ...
display local-index
add [forward-server|search-server] server
remove [forward-server|search-server] server
list [forward-server|search-server]
Parameters:
For a complete list of parameters, type "./splunk help [command|object]" to get a specific list.
]]>
-
] ...
edit [exec|monitor|tcp|udp] [source] [-parameter ] ...
remove [monitor|tcp|udp] [source]
list [monitor|tcp|udp]
Required Parameter:
source file, directory, scripted input, or socket to manage
Optional Parameters:
Type "./splunk help [command|object]" to view a complete list of parameters.
]]>
-
[parameters...]]]>
<![CDATA[Run a command using Splunk's environment variables]]>
-
list [options]
btool check [options]]]>
-
<![CDATA[This documents an internal command which is called automatically for Windows when you start Splunk. It does not apply to other platforms. It checks the splunkweb ssl settings for changed configurations to apply, generates certs, etc. These are typically done when you use "splunk start", but are not done if you start the service directly on Windows (from services.msc or command line).]]>
-
<![CDATA[Manually roll hot buckets to warm in the specified index. Verifies that the index exists before continuing.]]>
]]>
:]]>
-
<![CDATA[Manually rebuild metadata in the specified index.]]>
]]>
:]]>
-
<![CDATA[Manually rebuild bucket manifests in the specified index.]]>
]]>
:]]>
-
<![CDATA[Manually rebuild bucket manifests and metadata in the specified index.]]>
]]>
:]]>
-
-
]]>
-
-
-
| ]
show [object][]
Objects:
(For set ONLY)
server-type change modes of server configuration files
(This is an ADVANCED setting and should not be changed without
consulting Splunk Support first)
(For show ONLY)
config show the details of a specified conf file.
(NOTE: this command will only work if the file exists in the location
specified by $SPLUNK_HOME/etc/system/default/conf.conf)
jobs show information for the specified asynchronous search
(For both set and show)
datastore-dir set or show which directory is used for Splunk's datastore
deploy-poll enable the deployment client and set the deployment server uri to poll
default-hostname set or show the default host name used for all data inputs
default-index set the default search index(es) for a given role; show default search
index(es) for the role this user belongs to (command is deprecated and
may be removed in the future)
minfreemb set or show the minimum free disk space threshold (if free space falls
below this amount Splunk stops indexing data)
servername set or show the servername used in a distributed search
splunkd-port change the port that the Splunk daemon (splunkd) listens on
web-port change the port that Splunk Web listens on
kvstore-port change the port that the Splunk KV Store listens on
appserver-ports change the ports that the Splunk application server listens on
(These ports are only bound to the loopback interface. Typically
only one port is specified in this list)
Required Parameters:
Note: Both IPv4 and IPv6 formats are supported for specifying an IP address, for example:
127.0.0.1:80 or "[2001:db8::1]:80". By default, splunkd listens on IPv4 only. To enable
IPv6 support, refer to the instructions in:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/ConfigureSplunkforIPv6
(For set ONLY)
datastore-dir path to new datastore directory
deploy-poll uri deployment server ip:port to poll for deployment class
updates
default-hostname value new host name to use
default-index value one or list of indexes; if multiple, delimit each value
with a comma
role specify a role (admin, power, user) that can view the
default index
minfreemb minspace new number of megabytes
servername new distributed search name for the server
splunkd-port new port that splunkd should listen on
web-port new port that Splunk Web should listen on
kvstore-port new port that Splunk KV Store should listen on
appserver-ports new comma-separated list of ports that the Splunk
application server should listen on
(For show ONLY)
jobs the job id for the asynchronous search
name the name of the conf file, without the file extension
]]>
-
]...
validate object [-parameter ]
Objects:
source the source that anonymize will perform action on
(For validate ONLY)
index index to check for correctness
Optional Parameters:
For a complete list of parameters, type "./splunk help [command|object]" to get a specific list.
]]>
[parameters...]]]>
-
]
Note: Parameters that take Boolean values support {0, false, f, no} as
negatives and {1, true, t, yes} positives.
Objects:
Search objects are enclosed in single quotes (' ') and can be keywords,
expressions, or a series of search commands.
Optional Parameters:
app appname specify an app context to run the search
batch true indicates how to handle updates in preview mode.
Defaults to false.
detach true triggers an asynchronous search and displays
the job id and ttl for the search.
header false indicates whether to display a header in the table
output mode.
max_time number the length of time in seconds that a search job
runs before it is finalized. Defaults to 0, which
means no time limit.
maxout number the maximum number of events to return or send to
stdout (when exporting events). Setting this to 0
means it will output an unlimited number of events.
The max allowable value is 50k. Defaults to 100.
output value indicates how to display the job. Choices are:
rawdata, table, csv, raw, and auto. If not specified,
defaults to rawdata for non-transforming searches
and table for transforming searches.
preview false indicates that reporting searches should be
previewed. Defaults to true.
timeout number the length of time in seconds that a search job
is allowed to live after running. Defaults to 0,
which means the job is cancelled immediately after
it is run.
wrap false indicates whether to line wrap for individual lines
that are longer than the terminal width. Defaults
to true.
workload_pool value the name of the workload-pool for the search to run in.
See what search language is available for use in the CLI by using these
help commands:
search-fields a full list of search fields
search-modifiers a full list of search modifiers
search-commands a full list of usable search commands
Examples:
./splunk search '*' -detach true
./splunk search 'eventtype=webaccess error' -wrap 0
./splunk search 'eventtype=webaccess error' -detach true
]]>
-
[-verbose]
check-rawdata-format -index [-verbose]
check-rawdata-format -allindexes [-verbose]
Respectively, you can choose to check the rawdata format in a specific
bucket, all bucket in an index, or all buckets in all indexes.
Addendum:
If you need more advance bucket filtering and selection, please see:
splunk cmd splunkd fsck
]]>
-
[-verbose]
check-integrity -index [-verbose]
]]>
]]>
']]>
-
[-verbose]
generate-hash-files -index [-verbose]
]]>
]]>
']]>
-
<![CDATA[enable distributed search]]>
<![CDATA[disable distributed search]]>
<![CDATA[display distributed search status]]>
-
]]>
of buckets in the index homePath.Use '0' to display all merged buckets found.]]>