Splunk > CLI Commands
Accessing the Splunk CLI
Before diving into specific commands, let's start with how to access the Splunk CLI:
Basic CLI Commands
1. Start Splunk:
splunk start
Initiates the Splunk instance if it's not running.
2. Stop Splunk:
splunk stop
Stops the running Splunk instance.
3. Restart Splunk:
splunk restart
Stops and then starts the Splunk instance.
4. Status Check:
splunk status
Displays the status of the Splunk instance, showing whether it's running or stopped.
Managing Splunk Apps and Configuration
5. List Apps:
splunk list app
Lists all installed Splunk apps.
6. Install App:
splunk install app <app_package_file>
Installs a Splunk app using the app package file.
7. Configure Settings:
splunk set <setting_name> <value>
Allows you to configure various settings in Splunk, such as server settings, data inputs, and more.
Data Ingestion and Index Management
8. Add Data:
splunk add <sourcetype> <file_or_directory>
Adds data to Splunk for indexing. Specify the sourcetype and the file or directory you want to index.
9. List Indexes:
splunk list index
Lists all the indexes configured in your Splunk instance.
10. Delete Index:
splunk clean eventdata -index <index_name>
Deletes data from the specified index.Searching and Analyzing Data
11. Search Data:
splunk search "<search_query>"
Runs a search query against the indexed data in Splunk.
12. Save Search Results:
splunk search "<search_query>" > <output_file>
Saves the results of a search query to an output file.
13. Export Search Results to CSV:
splunk search "<search_query>" | table <field_list> | outputcsv <output_file.csv>
Exports search results to a CSV file.User and Role Management
14. List Users:
splunk list user
Lists all the users configured in your Splunk instance.
15. Create User:
splunk add user <username> -password <password> -role <role>
Creates a new user with the specified username, password, and role.
16. Assign Roles:
splunk edit user <username> -role <new_role>
Changes the role of an existing user.Monitoring and Troubleshooting
17. View Logs:
splunk show log <log_type>
Displays logs for various components of the Splunk instance, such as splunkd, splunkweb, or splunk_app.18. Health Check:
splunk btool check
Performs a health check on your Splunk instance and provides recommendations for configuration improvements.Conclusion
Recommended by LinkedIn
19. List Data Inputs:
splunk list input
Lists all configured data inputs (e.g., forwarders, scripted inputs, monitor inputs).
20. Add Monitor Input:
splunk add monitor <path_to_file_or_directory>
Adds a file or directory for monitoring and indexing.
21. Delete Data Input:
splunk remove monitor <path_to_file_or_directory>
Removes a file or directory from monitoring and indexing.
22. Summary Indexing:
splunk addinfo <search_query> | collect index=<summary_index>
Performs summary indexing by collecting and storing the results of a search query in a summary index.Indexer and Forwarder Management
23. Indexer Clustering:
splunk list cluster-config
Lists the configurations for indexer clustering.
24. Forwarder Management:
splunk list forward-server
splunk add forward-server <hostname>:<port>
splunk remove forward-server <hostname>:<port>
Manages forwarder configurations for data forwarding.User and Role Management
25. Change Password:
splunk edit user <username> -password <new_password>
Changes the password for an existing user.
26. List Roles:
splunk list role
Lists all roles defined in your Splunk instance.
27. Create Role:
splunk add role <role_name>
Creates a new role with the specified name.
28. Grant Capabilities:
splunk edit role <role_name> -capabilities <capabilities_list>
Grants specific capabilities to a role.Distributed Search and Indexer Clustering
29. Distributed Search Configuration:
splunk list search-server
splunk add search-server <hostname>:<port>
splunk remove search-server <hostname>:<port>
Manages configurations for distributed search peers.
30. Indexer Clustering Management:
splunk enable boot-start
splunk disable boot-start
Enables or disables Splunk to start at boot time (useful for indexer clustering).License and Deployment Information
31. License Information:
splunk show license
Displays information about your Splunk license.
32. Deployment Information:
splunk show deploy-poll
Shows the deployment client information, such as the server it's communicating with.
Advanced Troubleshooting
33. Dump Configuration:
splunk show conf <configuration_file>
Displays the current configuration settings for a specified configuration file.
34. Clear Indexed Data:
splunk clean eventdata -index <index_name> -f
Clears indexed data for a specified index forcefully.
These additional Splunk CLI commands expand your capabilities for managing your Splunk instance, configuring data inputs, and performing more advanced administrative tasks. Whether you're responsible for maintaining your Splunk infrastructure or conducting complex data analysis, these commands are valuable tools in your toolkit.
Visit the official doc for more commands.
The Splunk CLI is a versatile and indispensable tool for Splunk administrators, analysts, and users alike. With these fundamental CLI commands at your disposal, you can efficiently manage your Splunk instance, ingest data, perform searches, and troubleshoot issues as they arise. As you become more proficient with Splunk, you'll discover a wide range of advanced CLI commands and options that can help you tailor your Splunk experience to your specific needs.
Author
Nadir Riyani is an accomplished and dynamic Lead with expertise in Splunk, the leading platform for operational intelligence. With a passion for technology and a deep understanding of data analysis and security. As a Lead in Splunk, Nadir is responsible for leading a team of skilled engineers, providing guidance and technical expertise to ensure the successful implementation of Splunk solutions. He possesses excellent problem-solving skills and a keen eye for identifying patterns and trends within large datasets. With a strong blend of technical expertise, organizational skills, and effective leadership, Nadir has consistently exceeded project expectations and driven positive outcomes for his clients and stakeholders.