This topic discusses the administrative CLI commands, which are the commands used to manage or configure your Splunk server and distributed deployment.
For information about accessing the CLI and what is covered in the CLI help, see the previous topic, Get help with the CLI. If you're looking for details about how to run searches from the CLI, see About CLI searches in the Search Reference.
Your Splunk role configuration dictates what actions (commands) you can execute. Most actions require you to have Splunk admin privileges. Read more about setting up and managing Splunk users and roles in the About users and roles topic in the Admin Manual.
A command is an action that you can perform. An object is something you perform an action on.
Most administrative CLI commands are offered as an alternative interface to the Splunk Enterprise REST API without the need for the curl
command. If you're looking for additional uses or options for a CLI command object, review the REST API Reference Manual and search for the object name.
/var/log
../splunk add monitor /var/log/
./splunk add cluster-manager https://127.0.0.1:8089 -secret testsecret -multisite false
/tmp/messages
../splunk anonymize file -source /tmp/messages
Mynames.txt
using name-terms, a file containing a list of common English personal names../splunk anonymize file -source /tmp/messages -name_terms $SPLUNK_HOME/bin/Mynames.txt
./splunk apply cluster-bundle
./splunk apply cluster-bundle --skip-validation
shcluster-bundle
examples, see Deploy a configuration bundle in the Distributed Search manual.verbose
../splunk check-integrity -index $SPLUNK_HOME/var/lib/splunk/defaultdb/ [-<verbose> ]
verbose
../splunk check-integrity -bucketPath $SPLUNK_HOME/var/lib/splunk/defaultdb/db/ [-<verbose> ]
eventdata
refers to exported events indexed as raw log files../splunk clean eventdata
globaldata
refers to host tags and source type aliases. ./splunk clean globaldata
./splunk cluster-manager-redundancy -show-status
./splunk cluster-manager-redundancy -switch-mode active
./splunk cluster-manager-redundancy -switch-mode standby
$SPLUNK_HOME/bin
directory../splunk cmd /bin/ls
$SPLUNK_HOME/bin
directory with the environment variables set. Run splunk envvars
to see which environment variables are set../splunk cmd locktest
./splunk create app myNewApp -template sample_app
'./splunk disable maintenance-mode'
./splunk disable eventlog logs1
./splunk display app
./splunk display app unix
./splunk edit cluster-config -mode peer -site site2
/var/log
and only reads from the end of this file../splunk edit monitor /var/log -follow-only true
'./splunk enable maintenance-mode'
col1
collection../splunk enable perfmon col1
/tmp/apache_raw_404_logs
../splunk export eventdata -index my_apache_data -dir /tmp/apache_raw_404_logs -host localhost -terms "404 html"
/tmp/export.dat
../splunk import userdata -dir /tmp/export.dat
./splunk install app foo.tar
./splunk install app foo.tgz
./splunk list monitor
./splunk list licenses
./splunk migrate kvstore-storage-engine --target-engine wiredTiger
./splunk offline
--enforce-counts
flag is used, the cluster is completely fixed up before this peer is taken down../splunk offline --enforce-counts
./splunk package app stubby
The package
command includes local.meta by default. However, if your app package contains local.meta, it will fail AppInspect app validation. To avoid AppInspect failure, use either the -merge-local-meta
or -exclude-local-meta
flag.
./splunk package app stubby -merge-local-meta true
./splunk package app stubby -exclude-local-meta true
./splunk rebalance cluster-data -action start
-index
parameter../splunk rebalance cluster-data -action start -index _internal
-max_runtime
parameter to limit the rebalancing activity to 5 minutes../splunk rebalance cluster-data start -max_runtime 5
./splunk reload deploy-server
./splunk reload deploy-server -class my_serverclass
./splunk reload index [index_name]
'./splunk remove cluster-manager https://127.0.0.1:8089 -secret testsecret'
./splunk remove app unix
./splunk rollback cluster-bundle
./splunk rtsearch 'error' -wrap false
rtsearch
exactly as you use the traditional search command../splunk rtsearch 'eventtype=webaccess error | top clientip'
./splunk search '*' -detach true
eventtype=webaccess error
as the search object. Does not line wrap for individual lines that are longer than the terminal width../splunk search 'eventtype=webaccess error' -wrap 0
./splunk set indexing-ready
bologna:1234
as the deployment server to poll updates from../splunk set deploy-poll bologna:1234
./splunk show log-level
./splunk show deploy-poll
./splunk start-shcluster-migration kvstore -storageEngine wiredTiger
./splunk start-shcluster-migration kvstore -storageEngine wiredTiger -isDryRun
indexes.conf
../splunk validate index main
files
examples, see Check the integrity of your Splunk software files.cluster-bundle
examples, see Update common peer configurations and apps in the Managing Indexers and Clusters of Indexers manual.You can use the CLI to export large numbers of search results. For information about how to export search results with the CLI, as well as information about the other export methods offered by Splunk Enterprise, see Export search results in the Search Manual.
The Splunk CLI also includes tools that help with troubleshooting. Invoke these tools using the CLI command cmd
: