Administrative CLI commands - Splunk Documentation (2024)

This topic discusses the administrative CLI commands, which are the commands used to manage or configure your Splunk server and distributed deployment.

For information about accessing the CLI and what is covered in the CLI help, see the previous topic, Get help with the CLI. If you're looking for details about how to run searches from the CLI, see About CLI searches in the Search Reference.

Your Splunk role configuration dictates what actions (commands) you can execute. Most actions require you to have Splunk admin privileges. Read more about setting up and managing Splunk users and roles in the About users and roles topic in the Admin Manual.

A command is an action that you can perform. An object is something you perform an action on.

Most administrative CLI commands are offered as an alternative interface to the Splunk Enterprise REST API without the need for the curl command. If you're looking for additional uses or options for a CLI command object, review the REST API Reference Manual and search for the object name.

CommandObjectsExamplesaddexec, forward-server, index, licenser-pools, licenses, manager, monitor, oneshot, saved-search, search-server, tcp, udp, user1. Adds monitor directory and file inputs to source /var/log.

./splunk add monitor /var/log/

2. Adds another indexer cluster manager node to the list of instances the search head searches across.

./splunk add cluster-manager https://127.0.0.1:8089 -secret testsecret -multisite false

anonymizesource1. Replaces identifying data, such as usernames and IP addresses, in the file located at /tmp/messages.

./splunk anonymize file -source /tmp/messages

2. Anonymizes Mynames.txt using name-terms, a file containing a list of common English personal names.

./splunk anonymize file -source /tmp/messages -name_terms $SPLUNK_HOME/bin/Mynames.txt

applycluster-bundle, shcluster-bundle1. Makes validated bundle active on peers.

./splunk apply cluster-bundle

2. Skip-validation is an optional argument to skip bundle validation on the indexer cluster manager and peers.

./splunk apply cluster-bundle --skip-validation

3. For shcluster-bundle examples, see Deploy a configuration bundle in the Distributed Search manual.check-integrityNONE1. Verifies the integrity of an index with the optional parameter verbose.

./splunk check-integrity -index $SPLUNK_HOME/var/lib/splunk/defaultdb/ [-<verbose> ]

2. Verifies the integrity of a bucket with the optional parameter verbose.

./splunk check-integrity -bucketPath $SPLUNK_HOME/var/lib/splunk/defaultdb/db/ [-<verbose> ]

cleanall, eventdata, globaldata, inputdata, userdata, kvstore1. Removes data from Splunk installation. eventdata refers to exported events indexed as raw log files.

./splunk clean eventdata

2. globaldata refers to host tags and source type aliases.

./splunk clean globaldata

cluster-manager-redundancyNONE1. Shows status of all the cluster managers in redundancy mode.

./splunk cluster-manager-redundancy -show-status

2. Switches HA mode of a cluster manager from standby to active.

./splunk cluster-manager-redundancy -switch-mode active

3. Switches HA mode of a cluster manager from active to standby. Consequently, another, currently standby cluster manager gets switched to active automatically.

./splunk cluster-manager-redundancy -switch-mode standby

cmdbtprobe, classify, locktest, locktool, pcregextest, searchtest, signtool, toCsv, toSrs, tsidxprobe, walklex1. Displays the contents in the $SPLUNK_HOME/bin directory.

./splunk cmd /bin/ls

2. Runs the chosen command from the $SPLUNK_HOME/bin directory with the environment variables set. Run splunk envvars to see which environment variables are set.

./splunk cmd locktest

createapp1. Builds myNewApp from a template.

./splunk create app myNewApp -template sample_app

createsslNONEdiagNONEdisableapp, boot-start, deploy-client, deploy-server, dist-search, index, listen, local-index, maintenance-mode, perfmon, webserver, web-ssl, wmi1. Disables the maintenance mode on peers in indexer clustering. Must be invoked on the manager node.

'./splunk disable maintenance-mode'

2. Disables the logs1 collection.

./splunk disable eventlog logs1

displayapp, boot-start, deploy-client, deploy-server, dist-search, jobs, listen, local-index1. Displays status information, such as enabled/disabled, for all apps.

./splunk display app

2. Displays status information for the unix app.

./splunk display app unix

editapp, cluster-config, shcluster-config, exec, index, licenser-localpeer, licenser-groups, monitor, saved-search, search-server, tcp, udp, user1. Edits the current clustering configuration.

./splunk edit cluster-config -mode peer -site site2

2. Edits monitored directory inputs in /var/log and only reads from the end of this file.

./splunk edit monitor /var/log -follow-only true

enableapp, boot-start, deploy-client, deploy-server, dist-search, index, listen, local-index, maintenance-mode, perfmon, webserver, web-ssl, wmi1. Sets the maintenance mode on peers in indexer clustering. Must be invoked on the manager node.

'./splunk enable maintenance-mode'

2. Enables the col1 collection.

./splunk enable perfmon col1

exporteventdata, user data1. Exports data out of your Splunk server into /tmp/apache_raw_404_logs.

./splunk export eventdata -index my_apache_data -dir /tmp/apache_raw_404_logs -host localhost -terms "404 html"

fsckrepair, scan, clear-bloomfilterhelpNONEimportuserdata1. Imports user accounts data from directory /tmp/export.dat.

./splunk import userdata -dir /tmp/export.dat

installapp1. Installs the app from foo.tar to the local Splunk server.

./splunk install app foo.tar

2. Installs the app from foo.tgz to the local Splunk server.

./splunk install app foo.tgz

listcluster-buckets, cluster-config, cluster-generation, cluster-peers, deploy-clients, excess-buckets, exec, forward-server, index, inputstatus, licenser-groups, licenser-localpeer, licenser-messages, licenser-pools, licenser-peers, licenser-stacks, licenses, jobs, manager-info, monitor, peer-info, peer-buckets, perfmon, saved-search, search-server, tcp, udp, user, wmi1. Lists all active monitored directory and file inputs. This displays files and directories currently or recently monitored by splunkd for change.

./splunk list monitor

2. Lists all licenses across all stacks.

./splunk list licenses

login,logoutNONEmigratekvstore-storage-engine1. Migrates the KV store to the target storage engine.

./splunk migrate kvstore-storage-engine --target-engine wiredTiger

offlineNONE1. Used to shutdown the peer in a way that does not affect existing searches. The manager node rearranges the primary peers for buckets, and fixes up the cluster state in case the enforce-counts flag is set.

./splunk offline

2. Because the --enforce-counts flag is used, the cluster is completely fixed up before this peer is taken down.

./splunk offline --enforce-counts

packageapp1. Packages the app "stubby" and returns the package location.

./splunk package app stubby

The package command includes local.meta by default. However, if your app package contains local.meta, it will fail AppInspect app validation. To avoid AppInspect failure, use either the -merge-local-meta or -exclude-local-meta flag.

2. When packaging the app, merges local.meta to default.meta and packages the resulting default.meta.

./splunk package app stubby -merge-local-meta true

3. When packaging the app, excludes the local.meta from the app package.

./splunk package app stubby -exclude-local-meta true

rebalancecluster-data1. Rebalances data for all indexes.

./splunk rebalance cluster-data -action start

2. Rebalances data for a single index using the optional -index parameter.

./splunk rebalance cluster-data -action start -index _internal

3. Rebalances data using the optional -max_runtime parameter to limit the rebalancing activity to 5 minutes.

./splunk rebalance cluster-data start -max_runtime 5

rebuildNONEreloadad, auth, deploy-server, exec, index, listen, monitor, registry, tcp, udp, perfmon, wmi1. Reloads your deployment server, in entirety or by server class.

./splunk reload deploy-server

2. Reloads my_serverclass.

./splunk reload deploy-server -class my_serverclass

3. Reloads a specific index configuration. To reload all indexes, do not include an index name.

./splunk reload index [index_name]

removeapp, cluster-peers, cluster-manager, excess-buckets, exec, forward-server, index, jobs, licenser-pools, licenses, monitor, saved-search, search-server, tcp, udp, user1. Removes the cluster manager node from the list of instances the search head searches across. Uses testsecret as the secret/pass4SymmKey.

'./splunk remove cluster-manager https://127.0.0.1:8089 -secret testsecret'

2. Removes the Unix app.

./splunk remove app unix

rollbackcluster-bundleRolls back your Splunk Web configuration bundle to your previous version. From the manager node, run this command:

./splunk rollback cluster-bundle

rolling-restartcluster-peers, shcluster-membersrtsearchapp, batch, detach, earliest_time, header, id, index_earliest, index_latest, max_time, maxout, output, preview, rt_id, timeout, uri, wrap1. Runs a real-time search that does not line-wrap for individual lines.

./splunk rtsearch 'error' -wrap false

2. Runs a real-time search. Use rtsearch exactly as you use the traditional search command.

./splunk rtsearch 'eventtype=webaccess error | top clientip'

searchapp, batch, detach, earliest_time, header, id, index_earliest, index_latest, latest_time, max_time, maxout, output, preview, timeout, uri, wrap1. Uses the wildcard as the search object. Triggers an asynchronous search and displays the job id and ttl for the search.

./splunk search '*' -detach true

2. Uses eventtype=webaccess error as the search object. Does not line wrap for individual lines that are longer than the terminal width.

./splunk search 'eventtype=webaccess error' -wrap 0

setdatastore-dir, deploy-poll, default-hostname, default-index, indexing-ready, minfreemb, servername, server-type, splunkd-port, web-port, kvstore-port1. Sets the force indexing ready bit.

./splunk set indexing-ready

2. Sets bologna:1234 as the deployment server to poll updates from.

./splunk set deploy-poll bologna:1234

showconfig, cluster-bundle-status, datastore-dir, deploy-poll, default-hostname, default-index, jobs, minfreemb, servername, splunkd-port, web-port, kvstore-port, kvstore-status, shcluster-kvmigration-status1. Shows current logging levels.

./splunk show log-level

2. Shows which deployment server Splunk Enterprise is configured to poll from.

./splunk show deploy-poll

spoolNONEstart-shcluster-migrationkvstore1. Migrate the KV store to the target storage engine in a clustered environment.

./splunk start-shcluster-migration kvstore -storageEngine wiredTiger

2. Check to see if the KV store is ready to migrate to the target storage engine.

./splunk start-shcluster-migration kvstore -storageEngine wiredTiger -isDryRun

start,stop,restartsplunkd, splunkwebstatussplunkd, splunkwebvalidateindex, files,cluster-bundle1. Validates the main index and verifies the index paths specified in indexes.conf.

./splunk validate index main

2. For files examples, see Check the integrity of your Splunk software files.3. For cluster-bundle examples, see Update common peer configurations and apps in the Managing Indexers and Clusters of Indexers manual.versionNONE

You can use the CLI to export large numbers of search results. For information about how to export search results with the CLI, as well as information about the other export methods offered by Splunk Enterprise, see Export search results in the Search Manual.

The Splunk CLI also includes tools that help with troubleshooting. Invoke these tools using the CLI command cmd:

Administrative CLI commands - Splunk Documentation (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Carmelo Roob

Last Updated:

Views: 5315

Rating: 4.4 / 5 (45 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Carmelo Roob

Birthday: 1995-01-09

Address: Apt. 915 481 Sipes Cliff, New Gonzalobury, CO 80176

Phone: +6773780339780

Job: Sales Executive

Hobby: Gaming, Jogging, Rugby, Video gaming, Handball, Ice skating, Web surfing

Introduction: My name is Carmelo Roob, I am a modern, handsome, delightful, comfortable, attractive, vast, good person who loves writing and wants to share my knowledge and understanding with you.