Skip to content

Instantly share code, notes, and snippets.

@ChrisYounger

ChrisYounger/splunk_searchbnf

Created January 26, 2019 09:13
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ChrisYounger/e51f9c3aba0f1ed02e5caee7d4a6128b to your computer and use it in GitHub Desktop.
Save ChrisYounger/e51f9c3aba0f1ed02e5caee7d4a6128b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
splunk_searchbnf
# the output from running "/opt/splunk/bin/splunk btool searchbnf list" on a fairly default Splunk 7.2 instance
[abstract-command]
alias = excerpt
appears-in = 3.0
category = formatting
commentcheat = Show a summary of up to 5 lines for each search result.
description = Produce an abstract -- a summary or brief representation -- of the text of search results. The original text is replaced by the summary, which is produced by a scoring mechanism. If the event is larger than the selected maxlines, those with more terms and more terms on adjacent lines are preferred over those with fewer terms. If a line has a search term, its neighboring lines also partially match, and may be returned to provide context. When there are gaps between the selected lines, lines are prefixed with "...". \p\
If the text of a result has fewer lines or an equal number of lines to maxlines, no change will occur.\i\
* <maxlines> accepts values from 1 - 500. \i\
* <maxterms> accepts values from 1 - 1000.
examplecheat = ... |abstract maxlines=5
maintainer = david
related = highlight
shortdesc = Shortens the text of results to a brief summary representation.
syntax = abstract (maxterms=<int>)? (maxlines=<int>)?
tags = condense summarize summary outline pare prune shorten skim snip sum trim
usage = public
[accum-command]
appears-in = 4.0
category = fields::add
comment1 = Save the running total of "count" in a field called "total_count".
description = For each event where <field> is a number, keep a running total of the sum of this number and write it out to either the same field, or a new field if specified.
example1 = ... | accum count AS total_count
maintainer = steveyz
related = autoregress, delta, streamstats, trendline
shortdesc = Keeps a running total of a specified numeric field.
syntax = accum <field> (AS <field>)?
tags = total sum accumulate
usage = public
[addcoltotals-command]
appears-in = 3.0
category = reporting
comment1 = Compute the sums of all the fields, and put the sums in a summary event called "change_name".
comment2 = Add a column total for two specific fields in a table.
comment3 = Augment a chart with a total of the values present.
description = Appends a new result to the end of the search result set.
The result contains the sum of each numeric field or you can specify which fields
to summarize. Results are displayed on the Statistics tab. If the labelfield argument
is specified, a column is added to the statistical results table with the name
specified.
example1 = ... | addcoltotals labelfield=change_name label=ALL
example2 = sourcetype=access_* | table userId bytes avgTime duration | addcoltotals bytes duration
example3 = index=_internal source=*metrics.log group=pipeline |stats avg(cpu_seconds) by processor |addcoltotals labelfield=processor
maintainer = steveyz
related = stats
shortdesc = Appends a new result to the end of the search result set.
syntax = addcoltotals (labelfield=<field>)? (label=<string>)? <field-list>?
tags = total add calculate sum
usage = public
[addinfo-command]
appears-in = 3.2
category = fields::add
comment = Add information about the search to each event.
description = Adds global information about the search to each event. The addinfo command is primarily an internal component of summary indexing. \i\
Currently the following fields are added: \i\
"info_min_time" - the earliest time bound for the search \i\
"info_max_time" - the latest time bound for the search \i\
"info_search_id" - query id of the search that generated the event \i\
"info_search_time" - time when the search was executed.
example = ... |addinfo
maintainer = ledion
related = search
shortdesc = Add fields that contain common information about the current search.
syntax = addinfo
tags = search info
usage = public
[addtotals-command]
appears-in = 3.0
category = reporting
comment1 = Compute the sums of the numeric fields of each results.
comment2 = Compute the sums of the numeric fields that match the given list, and save the sums in the field "sum".
comment3 = Compute the sums of all the fields, and put the sums in a summary event called "change_name".
commentcheat = Calculate the sums of the numeric fields of each result, and put the sums in the field "sum".
description = If "row=t" (default if invoked as 'addtotals') for each result, computes the arithmetic sum of all
numeric fields that match <field-list> (wildcarded field list).
If list is empty all fields are considered.
The sum is placed in the specified field or "Total" if none was specified.
If "col=t" (default if invoked as 'addcoltotals'), adds a new result at the end that represents the sum of each field.
LABELFIELD, if specified, is a field that will be added to this summary
event with the value set by the 'label' option.
example1 = ... | addtotals
example2 = ... | addtotals fieldname=sum foobar* *baz*
example3 = ... | addtotals col=t labelfield=change_name label=ALL
examplecheat = ... | addtotals fieldname=sum
maintainer = steveyz
related = stats
shortdesc = Computes the sum of all numeric fields for each result.
syntax = addtotals (row=<bool>)? (col=<bool>)? (labelfield=<field>)? (label=<string>)? (fieldname=<field>)? <field-list>
tags = total add calculate sum
usage = public
[after-opt]
default = "timeafter=30s"
description = the amount of time to add to endtime (ie expand the time region forward in time)
syntax = timeafter=<int>(s|m|h|d)?
[alert_action_name]
description = Name of the custom alert action.
example = hipchat
syntax = <string>
[align]
description = Specifies if the wrapping should be aligned to the current time or the end
time of the search. Defaults to end.
syntax = now|end
[allFeatures]
description = This option specifies that the output include every geometric feature in the feature collection. When a shape has no values, any aggregate fields, such as "average" or "count", display zero.
syntax = allFeatures=<bool>
[analyzefields-command]
alias = af
appears-in = 4.0
category = reporting
comment1 = Analyze the numerical fields to predict the value of "is_activated".
description = Using <field> as a discrete random variable, analyze all *numerical* fields to determine the ability for each of those fields to "predict" the value of the classfield.
In other words, analyzefields determines the stability of the relationship between values in the target classfield and numeric values in other fields. \i\
As a reporting command, analyzefields consumes all input results, and generates one output result per identified numeric field. \i\
For best results, classfield should have 2 distinct values, although multi-class analysis is possible.
example1 = ... | analyzefields classfield=is_activated
maintainer = steveyz
related = anomalousvalue
shortdesc = Finds degree of correlation between a target discrete field and other numerical fields.
syntax = analyzefields classfield=<field>
tags = analyze predict
usage = public beta
[annotate-option]
description = If set to true the results will contain fields for the splunk_server aplunk_server_group and _time when they were created
These may be used to compute aggregates etc. Certain order sensitive processors may also fail if the internal _time field is absent.
False by default.
syntax = annotate=<bool>
[anoma-action-option]
comment = This is the default action when method=histogram. If method is zscore or iqr, then the default action is the default ones for those commands,
i.e., 'filter' for zscore and 'transform' for iqr
default = "action=filter"
description = If the method is zscore or iqr, then the actions have the same meaning as in the anomalousvalue and outlier commands.
If the method is histogram, then the meanings are:
If action is FILTER, anomalous events are retained while others are dropped.
If action is ANNOTATE, new fields will be added to anomalous events that indicate the probability of the event as well as which field
may be the cause of the anomaly.
If the action is SUMMARY, a table summarizing the anomaly statistics for the search results is generated.
syntax = action=(filter|annotate|summary) if the method is histogram or zscore
action=(transform|tf|remove|rm) if the method is iqr
[anoma-cutoff-option]
default = "cutoff=true"
description = This option applies to histogram method only. If the cutoff is false, the algorithm uses the formula threshold = 1st-quartile - 1.5*iqr without
modification. If the cutoff is true, the algorithm modifies the above formula in order to come up with a smaller number of anomalies.
syntax = cutoff=<bool>
[anoma-method-option]
comment1 = This query returns the same output as that returned by the query '... | anomalousvalue action=filter pthresh=0.05'.
comment2 = This query returns the same output as that returned by the query '...| outlier action=tf param=4 uselower=true mark=true'.
default = "method=histogram"
description = There are three methods instead of one because we've combined two older commands, anomalousvalue and outlier, with the new method.
The new method is invoked by choosing the 'histogram' option. The anomalousvalue command is invoked by choosing 'zscore',
and the outlier command is invoked by choosing 'iqr'.
Below we will describe other options associated with the histogram method. For the other two methods, the associated options are
exactly the same as before. That is, the queries '...| anomalousvalue ...' and '...| anomalydetection method=zscore ...' where the '...' are
exactly the same in the two queries will produce exactly the same outputs. The same scheme applies to outlier.
example1 = ... | anomalydetection method=zscore action=filter pthresh=0.05
example2 = ... | anomalydetection method=iqr action=tf param=4 uselower=true mark=true
syntax = method=(histogram|zscore|iqr)
[anoma-pthresh-option]
default = If the method is zscore, then the default is 0.01 (as in the anomalousvalue command). If the method is histogram, the default is not any fixed value
but is instead calculated for each data set during the analysis.
description = First, this option only applies when the method is either histogram or zscore. An invalid argument error will be returned if the method is iqr.
In the histogram case, it means the probability (as a decimal) that has to be met for an event to be deemed anomalous.
In the zscore case, it means the same as in the annomalousvalue command.
syntax = pthresh=<num>
[anomalies-command]
appears-in = 4.0
category = results::filter
comment1 = Return only anomalous events.
comment2 = Show most interesting events first, ignoring any in the blacklist 'boringevents'.
comment3 = Use with transactions to find regions of time that look unusual.
description = Determines the degree of "unexpectedness" of an event's field
value, based on the previous MAXVALUE events. By default it
removes events that are well-expected (unexpectedness >
THRESHOLD). The default THRESHOLD is 0.01. If LABELONLY is true,
no events are removed, and the "unexpectedness" attribute is set
on all events. The FIELD analyzed by default is "_raw".
By default, NORMALIZE is true, which normalizes numerics. For cases
where FIELD contains numeric data that should not be normalized, but
treated as categories, set NORMALIZE=false. The
BLACKLIST is a name of a csv file of events in
$SPLUNK_HOME/var/run/splunk/<BLACKLIST>.csv, such that any incoming
events that are similar to the blacklisted events are treated as
not anomalous (i.e., uninteresting) and given an unexpectedness
score of 0.0. Events that match blacklisted events with a
similarity score above BLACKLISTTHRESHOLD (defaulting to 0.05) are
marked as unexpected. The inclusion of a 'by' clause, allows the
specification of a list of fields to segregate results for anomaly
detection. For each combination of values for the specified
field(s), events with those values are treated entirely separately.
Therefore, 'anomalies by source' will look for anomalies in each
source separately -- a pattern in one source will not affect that
it is anomalous in another source.
example1 = ... | anomalies
example2 = ... | anomalies blacklist=boringevents | sort -unexpectedness
example3 = ... | transaction maxpause=2s | anomalies
maintainer = david
related = anomalousvalue, cluster, kmeans, outlier
shortdesc = Computes an "unexpectedness" score for an event.
syntax = anomalies (threshold=<num>)? (labelonly=<bool>)? (normalize=<bool>)? (maxvalues=<int>)? (field=<field>)? (blacklist=<filename>)? (blacklistthreshold=<num>)? (<by-clause>)?
tags = anomaly unusual odd irregular dangerous unexpected outlier
usage = public
[anomalousvalue-command]
appears-in = 3.0
category = reporting
comment1 = Return only uncommon values.
commentcheat = Return events with uncommon values.
description = Identifies or summarizes the values in the data that are anomalous either by frequency of occurrence
or number of standard deviations from the mean. If a field-list is given, only those fields are
considered. Otherwise all non internal fields are considered. \p\
For fields that are considered anomalous, a new field is added with the following scheme.
If the field is numeric, e.g. \"size\", the new field will be \"Anomaly_Score_Num(size)\".
If the field is non-numeric, e.g. \"name\", the new field will be \"Anomaly_Score_Cat(name)\".
example1 = ... | anomalousvalue
examplecheat = ... | anomalousvalue action=filter pthresh=0.02
maintainer = steveyz
related = af, anomalies, cluster, kmeans, outlier
shortdesc = Finds and summarizes irregular, or uncommon, search results.
syntax = anomalousvalue <av-option>* <anovalue-action-option>? <anovalue-pthresh-option>? <field-list>?
tags = anomaly unusual odd irregular dangerous unexpected
usage = public
[anomalydetection-command]
appears-in = Ember
category = streaming, reporting
comment = The way probabilities are computed is called the Naive Bayes method, which means the individual fields are considered independent.
This is a simplification to make the command reasonably fast.
comment1 = Return only anomalous events.
comment2 = Return a short summary of how many anomalous events are there and some other statistics such as the threshold value used to detect them.
description = Identify anomalous events by computing a probability for each event and then detecting unusually small probabilities.
The probability is defined as the product of the frequencies of each individual field value in the event.
For categorical fields, the frequency of a value X is the number of times X occurs divided by the total number of events.
For numerical fields, we first build a histogram for all the values, then compute the frequency of a value X
as the size of the bin that contains X divided by the number of events.
Missing values are treated by adding a special value and updating its count just like a normal value.
Histograms are built using the standard Scott's rule to determine the bin width.
example1 = ... | anomalydetection
example2 = ... | anomalydetection action=summary
maintainer = nnguyen
related = anomalies, anomalousvalue, outlier, cluster, kmeans
shortdesc = Find anomalous events in a set of search results.
syntax = anomalydetection <anoma-method-option>? <anoma-action-option>? <anoma-pthresh-option>? <anoma-cutoff-option>? <field-list>?
tags = anomaly unusual odd irregular dangerous unexpected Bayes
usage = public
[anovalue-action-option]
default = "action=filter"
description = If action is ANNOTATE, new fields will be added to the event containing anomalous values that
indicate the anomaly scores of the values.
If action is FILTER, events with anomalous value(s) are retained while non-anomalous values are dropped.
If action is SUMMARY, a table summarizing the anomaly statistics for each field is generated.
syntax = action=(annotate|filter|summary)
[anovalue-pthresh-option]
default = "pthresh=0.01"
description = Probability threshold (as a decimal) that has to be met for a value to be deemed anomalous
syntax = pthresh=<num>
[append-command]
appears-in = 4.0
category = results::append
comment = Append the current results with the tabular results of errors.
description = Append the results of a subsearch as additional results at the end of the current results.
example = ... | chart count by category1 | append [search error | chart count by category2]
maintainer = steveyz
related = appendcols, join, set
shortdesc = Appends the results of a subsearch results to the current results.
syntax = append (<subsearch-options>)? <subsearch>
tags = append join combine unite combine
usage = public
[appendcols-command]
appears-in = 4.0
category = fields::add
comment = Search for "404" events and append the fields in each event to the previous search results.
description = Appends fields of the results of the subsearch into input search results by combining the external fields of the subsearch (fields that do not start with '_') into the current results. The first subsearch result is merged with the first main result, the second with the second, and so on. If option override is false (default), if a field is present in both a subsearch result and the main result, the main result is used. If it is true, the subsearch result's value for that field is used.
example = ... | appendcols [search 404]
maintainer = steveyz
related = append, join, set
shortdesc = Appends the fields of the subsearch results to current results, first results to first result, second to second, etc.
syntax = appendcols (override=<bool> | <subsearch-options>)? <subsearch>
tags = append join combine unite
usage = public
[appendpipe-command]
appears-in = 4.2
category = results::append
comment = Append subtotals for each action across all users
description = Appends the result of the subpipeline applied to the current result set to results.
example = index=_audit | stats count by action user | appendpipe [stats sum(count) as count by action | eval user = "ALL USERS"] | sort action
maintainer = steveyz
related = append appendcols join set
syntax = appendpipe (run_in_preview=<bool>)? [<subpipeline>]
tags = append join combine unite combine
usage = public
[application-string]
description = The name of the application in which the saved search is defined.
example = search
syntax = <string>
[archivebuckets-command]
comment1 = To execute archivebuckets manually
description = Archives Splunk buckets to Hadoop. The archivebuckets command is usually run on a schedule by Splunk. The optional argument "forcerun=1" is needed when the search is run manually.
The optional argument "retries" can be used to specify the number of attempts that should be made to assure all buckets have archived. The default is 1.
Failures (e.g. due to lost network connectivity) will be retried the next time the command is run.
archivebuckets will generate virtual index information and spawn a new distributed search named copybuckets, which will archive buckets on each search peer connected to this Splunk instance.
For more information, visit docs.splunk.com.
example1 = | archivebuckets forcerun=1
shortdesc = Archives Splunk buckets to Hadoop.
syntax = archivebuckets [forcerun=1] [retries=N]
tags = a, ar, arc, archive, buckets, bucket, roll, roller
usage = public
[artifact-offset-opt]
description = Select a search artifact other than the most recent one, based on search start time. For example
if artifact_offset=1, the second most recent will be loaded; if artifact_offset=2, the third most recent
will be loaded. Attempting to load an offset past the last available artifact will result in an error.
Defaults to 0, or the most recent.
example = artifact_offset=1
syntax = artifact_offset=<int>
[arules-command]
appears-in = 6.0
category = streaming, reporting
comment1 = Running arules with default support (=3) and confidence (=.5)
The minimum number of fields is 2. There is no maximum restriction.
comment2 = The sup option must be a positive integer
The conf option must be a float between 0 and 1
In general, the higher the support, the less noisy the output will be. However, setting the support too high may exclude too much
useful data in some circumstances. The conf option should be at least 0.5, otherwise the associations will not be significant. The higher
the conf, the more significant the associations will be, but at the expense of retaining less associations.
description = Finding association rules between values. This is the algorithm behind most online
shopping websites. When a customer buys an item, these sites are able to recommend
related items that other customers also buy when they buy the first one. Arules finds such relationships and not only for
shopping items but any kinds of fields. Note that stricly speaking, arules does not find relationships between fields, but rather
between the values of the fields.
example1 = ... | arules field1 field2 field3
example2 = ... | arules sup=3 conf=.6 field1 field2 field3
maintainer = nnguyen
related = associate, correlate
shortdesc = Finds the association rules between field values.
syntax = arules (<arules-option> )* <fields>
tags = associate contingency correlate correspond dependence independence
usage = public
[arules-option]
default = ("sup=3" | "conf=.5")
description = The sup option specifies a required level of support, or computed level of association between fields. Support is expressed as the output Support and Implied Support fields. The conf option specifies a measure of how certain the algorithm is about that association. Confidence is expressed as the output Strength field. (For example a small number of datapoints that are entirely equivalent would have high support but low confidence.) For either option, associations which are below the limits will not be included in output results.
syntax = (sup=<int>)|(conf=<num>)
[associate-command]
appears-in = 3.0
category = reporting
comment1 = Analyze all fields to find a relationship.
comment2 = Analyze all events from host "reports" and return results associated with each other.
commentcheat = Return results associated with each other (that have at least 3 references to each other).
description = Searches for relationships between pairs of fields. More specifically, this command tries to identify
cases where the entropy of field1 decreases significantly based on the condition of field2=value2.
field1 is known as the target key and field2 the reference key and value2 the reference value.
If a list of fields is provided, analysis will be restrict to only those fields. By default all fields
are used.
example1 = ... | associate
example2 = host="reports" | associate supcnt=50 supfreq=0.2 improv=0.5
examplecheat = ... | associate supcnt=3
maintainer = steveyz
related = correlate, contingency
shortdesc = Identifies correlations between fields.
syntax = associate (<associate-option> )* <field-list>?
tags = associate contingency correlate connect link correspond dependence independence
usage = public
[associate-improv-option]
default = "improv=0.5"
description = Minimum entropy improvement for target key. That is,
entropy(target key) - entropy(target key given reference key/value)
must be greater than or equal to this.
syntax = improv=<num>
[associate-option]
description = Associate command options
syntax = <associate-supcnt-option>|<associate-supfreq-option>|<associate-improv-option>
[associate-supcnt-option]
default = "supcnt=100"
description = Minimum number of times the reference key=reference value combination must be appear.
Must be a non-negative integer.
syntax = supcnt=<int>
[associate-supfreq-option]
default = "supfreq=0.1"
description = Minimum frequency of reference key=reference value combination, as a fraction of the number of total events.
syntax = supfreq=<num>
[attrn]
description = The value set for each event's RANGE field if the field vaule falls in the attrn range
example = low
syntax = <string>
[attrn-range]
description = The range to match to the value of the RANGE field.
example = 1-25
syntax = <num>-<num>
[audit-command]
appears-in = 3.2
category = administrative
commentcheat = View information in the "audit" index.
description = View audit trail information stored in the local "audit" index. Also validate signed audit events while checking for gaps and tampering.
examplecheat = index=audit | audit
maintainer = rdas
related = metadata
shortdesc = Returns audit trail information that is stored in the local audit index.
syntax = audit
tags = audit trail security
usage = public
[autoregress-command]
alias = ar
appears-in = 4.0
category = reporting
comment1 = Calculate a moving average of event size; the first N average numbers are omitted by eval since summing null fields results in null.
comment2 = For each event, copy the 2nd, 3rd, 4th, and 5th previous values of the 'count' field into the respective fields 'count_p2', 'count_p3', 'count_p4', and 'count_p5'.
comment3 = For each event, copy the 3rd previous value of the 'foo' field into the field 'oldfoo'.
description = Sets up data for auto-regression (e.g. moving average) by copying one or more of the previous values for <field> into each event. If <newfield> is provided, one prior value will be copied into <newfield> from a count of 'p' events prior. In this case, 'p' must be a single integer. If <newfield> is not provided, the single or multiple values will be copied into fields named '<field>_p<p-val>'. In this case 'p' may be a single integer, or a range <p_start>-<p_end>. For a range, the values will be copied from 'p_start' events prior to 'p_end' events prior. If 'p' option is unspecified, it defaults to 1 (i.e., copy only the previous one value of <field> into <field>_p1. The first few events will lack previous values, since they do not exist.
example1 = ... | eval rawlen=len(_raw) | autoregress rawlen p=1-4 | eval moving_average = (rawlen + rawlen_p1 + rawlen_p2 + rawlen_p3 + rawlen_p4) / 5
example2 = ... | autoregress count p=2-5
example3 = ... | autoregress foo AS oldfoo p=3
maintainer = steveyz
related = accum, delta, streamstats, trendline
shortdesc = Prepares events or results for calculating the moving average.
syntax = autoregress <field> (AS <field:newfield>)? (p=<int:p_start>("-"<int:p_end>)?)?
tags = average mean
usage = public
[av-option]
description = Parameters to the anomalousvalue command.
minsupcount is the minimum number of rows that must contain a field in order to consider the field at all.
maxanofreq is the maximum frequency (as a decimal) for a value to be considered anomalous.
minsupfreq is the minimum support frequency. A field must be in at least this fraction of overall events to be considered.
minnormfreq is the minimum normal frequency. A field's values must be considered normal at least this fraction of times
or else the field is not considered for determining if the event is anomalous
syntax = (minsupcount=<int>)|(maxanofreq=<num>)|(minsupfreq=<num>)|(minnormfreq=<num>)
[bcc-option]
description = Blind cc line; comma-separated quoted list of valid email addresses.
syntax = bcc=<email_list>
[before-opt]
default = "timebefore=30s"
description = the amount of time to subtract from starttime (ie expand the time region backwards in time)
syntax = timebefore=<int>(s|m|h|d)?
[bin-aligntime]
description = Align to the specific UTC time of 1500567890.
example1 = aligntime=earliest
example2 = aligntime=@d+3h
example3 = aligntime=1500567890
syntax = aligntime=(earliest|latest|<time-specifier>)
[bin-bins]
description = Sets the maximum number of bins to discretize into.
Given this upper-bound guidance, the bins will snap to
human sensible bounds.
example1 = bins=10
note = The actual number of bins will almost certainly be smaller than the given number.
syntax = bins=<int>
[bin-command]
alias = bucket, discretize
appears-in = 3.0
category = reporting
commentcheat1 = Separate search results into 10 bins, and return the count of raw events for each bin.
commentcheat2 = Return the average "thruput" of each "host" for each 5 minute time span.
description = Puts continuous numerical field values into discrete sets, or bins. Adjusts the value of 'field', so that all items in the set have the same value for 'field'. Note: Bin is called by chart and timechart automatically and is only needed for statistical operations that timechart and chart cannot process.
examplecheat1 = ... | bin size bins=10 | stats count(_raw) by size
examplecheat2 = ... | bin _time span=5m | stats avg(thruput) by _time host
maintainer = steveyz
related = chart, timechart
shortdesc = Puts continuous numerical values into discrete sets.
syntax = bin (<bin-options> )* <field> (as <field>)?
tags = bucket band bracket bin round chunk lump span
usage = public
[bin-minspan]
description = Specifies the smallest span granularity to use automatically inferring span from the data time range.
syntax = minspan=(<span-length>)
[bin-options]
description = Discretization options.
syntax = (<bin-bins> <bin-minspan>?)|<bin-span>|<bin-start-end>|<bin-aligntime>
[bin-span]
comment1 = set span to 10 seconds
comment2 = set span to 2 days
comment3 = set span to 5 minutes
description = Sets the size of each bin.
example1 = span=10
example2 = span=2d
example3 = span=5m
syntax = span=(<span-length>|<log-span>)
[bin-start-end]
description = Sets the minimum and maximum extents for numerical bins.
note = Data outside of the [start, end] range is discarded.
syntax = (start|end)=<num>
[binspanlat]
description = The size of the bins in latitude degrees at the lowest zoom level. Defaults to 22.5.
With default binspanlong=45.0, leads to a grid size of 8x8.
syntax = binspanlat=<float>
[binspanlong]
description = The size of the bins in longitude degrees at the lowest zoom level. Defaults to
45.0. With default binspanlat=22.5, leads to a grid size of 8x8.
syntax = binspanlong=<float>
[bucketdir-command]
appears-in = 4.0
category = results::group
comment1 = get 10 best sources and directories
description = Returns at most MAXCOUNT events by taking the incoming events and rolling up multiple sources into directories, by preferring directories that have many files but few events. The field with the path is PATHFIELD (e.g., source), and strings are broken up by a SEP character. The default pathfield=source; sizefield=totalCount; maxcount=20; countfield=totalCount; sep="/" or "\\", depending on the os.
example1 = ... | top source|bucketdir pathfield=source sizefield=count maxcount=10
maintainer = david
related = cluster dedup
shortdesc = Replaces PATHFIELD with higher-level grouping, such as replacing filenames with directories.
syntax = bucketdir pathfield=<field> sizefield=<field> (maxcount=<int>)? (countfield=<field>)? (sep=<char>)?
tags = cluster group collect gather
usage = public
[by-clause]
description = Fields to group by.
example1 = BY host
example2 = BY addr, port
syntax = by <field-list>
[cc-option]
description = Cc line; comma-separated quoted list of valid email addresses.
syntax = cc=<email_list>
[chart-command]
appears-in = 3.0
category = reporting
commentcheat1 = Return the average (mean) "size" for each distinct "host".
commentcheat2 = Return the the maximum "delay" by "size", where "size" is broken down into a maximum of 10 equal sized buckets.
commentcheat3 = Return the ratio of the average (mean) "size" to the maximum "delay" for each distinct "host" and "user" pair.
commentcheat4 = Return max(delay) for each value of foo split by the value of bar.
commentcheat5 = Return max(delay) for each value of foo.
description = Creates a table of statistics suitable for charting. Whereas timechart generates a
chart with _time as the x-axis, chart lets you select an arbitrary field as the
x-axis with the "by" or "over" keyword. If necessary, the x-axis field is converted
to discrete numerical quantities.\p\
When chart includes a split-by-clause, the columns in the output table represents a
distinct value of the split-by-field. (With stats, each row represents a single
unique combination of values of the group-by-field. The table displays ten columns
by default, but you can specify a where clause to adjust the number of columns.\p\
When a where clause is not provided, you can use limit and agg options to specify
series filtering. If limit=0, there is no series filtering. \p\
When specifying multiple data series with a split-by-clause, you can use sep and
format options to construct output field names.
examplecheat1 = ... | chart avg(size) by host
examplecheat2 = ... | chart max(delay) by size bins=10
examplecheat3 = ... | chart eval(avg(size)/max(delay)) by host user
examplecheat4 = ... | chart max(delay) over foo by bar
examplecheat5 = ... | chart max(delay) over foo
maintainer = steveyz
related = timechart, bucket, sichart
shortdesc = Returns results in a tabular output for charting.
simplesyntax = chart (agg=<stats-agg-term>)? ( <stats-agg-term> | ( "(" <eval-expression> ")" ) )+ ( BY <field> (<bin-options> )* (<split-by-clause>)? )? | ( OVER <field> (<bin-options>)* (BY <split-by-clause>)? )?
supports-multivalue = true
syntax = chart <chart-command-arguments>
tags = chart graph report sparkline count dc mean avg stdev var min max mode median
usage = public
[chart-command-arguments]
description = See chart-command description. See the bin command for details about the <bin-options>.
syntax = (sep=<string>)? (format=<string>)? (cont=<bool>)? (limit=<int>)? (agg=<stats-agg-term>)? ( <stats-agg-term> | <sparkline-agg-term> | ( "(" <eval-expression> ")" ) )+
( BY <field> (<bin-options> )* (<split-by-clause>)? )? |
( OVER <field> (<bin-options>)* (BY <split-by-clause>)? )?
[cluster-command]
alias = slc
appears-in = 3.2
category = results::group
comment = Cluster syslog events together.
commentcheat = Cluster events together, sort them by their "cluster_count" values, and then return the 20 largest clusters (in data size).
description = Fast and simple clustering method designed to operate on event text (_raw field). With default options, a single representative event is retained for each cluster.
example = sourcetype=syslog | cluster
examplecheat = ... | cluster t=0.9 showcount=true | sort - cluster_count | head 20
maintainer = steveyz
related = anomalies, anomalousvalue, cluster, kmeans, outlier
shortdesc = Clusters similar events together.
syntax = cluster (<slc-option> )*
tags = cluster group collect gather
usage = public
[cmp]
syntax = =|!=|"<"|"<"=|">"|">"=
[cofilter-command]
appears-in = 6.0
category = streaming, reporting
comment1 = user field must be specified first and item field second
description = For this command, we think of field1 values as "users" and field2 values as "items".
The goal of the command is to compute, for each pair of item (i.e., field2 values), how many
users (i.e., field1 values) used them both (i.e., occurred with each of them).
example1 = ... | cofilter field1 field2
maintainer = nnguyen
related = associate, correlate
shortdesc = Find how many times field1 and field2 values occurred together.
syntax = cofilter field1 field2
tags = arules associate contingency correlate correspond dependence independence
usage = public
[collapse-command]
appears-in = 3.2
description = Purely internal operation that condenses multi-file results into as few files as chunksize option will allow. (default chunksize=50000). Operation automatically invoked by output* operators. If force=true and the results are entirely in memory, re-divide the results into appropriated chunked files (this option is new for 5.0).
example1 = ... | collapse
maintainer = steveyz
optout-in = lite, lite_free
syntax = collapse (chunksize=<num>)? (force=<bool>)?
usage = internal
[collapse-opt]
default = t
description = whether to collapse terms that are a prefix of another term and the event count is the same
example = collapse=f
syntax = collapse=<bool>
[collect-addinfo]
description = If true, will write the search time and time bounds into the text
out of each summary index event in the format
info_min_time=<search_earliest_time>, info_max_time=<search_latest_time>,
info_search_time=<search_exec_time>
syntax = addinfo=<bool>
[collect-addtime]
description = whether to prefix a time into each event if the event does not contain a _raw field.
The first found field of the following times is used: info_min_time, _time, now()
defaults to true
syntax = addtime=<bool>
[collect-arg]
syntax = <collect-addtime> | <collect-index> | <collect-file> | <collect-spool> | <collect-marker> | <collect-testmode> | <collect-run-in-preview> | <collect-host> | <collect-source> | <collect-sourcetype>
[collect-command]
alias = stash, summaryindex, sumindex
appears-in = 3.2
category = index::summary
comment1 = Put "download" events into an index named "downloadcount".
description = Adds the results of the search into the specified index. Behind the scenes, the events are written
to a file whose name format is: "<random-num>_events.stash", unless overridden, in a directory
which is watched for new events by Splunk. If the events contain a _raw field then the raw field
is saved, if they don't a _raw field is constructed by concatenating all the fields into a
comma-separated list of key="value" pairs.
example1 = eventtypetag="download" | collect index=downloadcount
maintainer = ledion
optout-in = lite, lite_free
related = overlap, sichart, sirare, sistats, sitop, sitimechart
shortdesc = Puts search results into a summary index.
syntax = collect <collect-index> (<collect-arg>)*
tags = collect summary overlap summary index summaryindex
usage = public
[collect-file]
description = name of the file where to write the events to. Optional, default "<random-num>_events.stash"
The following placeholders can be used in the file name $timestamp$, $random$ and will be
replaced with a timestamp, a random number respectively
syntax = file=<string>
[collect-host]
description = The name of the host that you want to specify for the events.
syntax = host=<string>
[collect-index]
description = name of the index where splunk should add the events to. Note: the index must exist
for events to be added to it, the index is NOT created automatically.
syntax = index=<string>
[collect-marker]
description = a string, usually of key-value pairs, to append to each event written out. Optional, default ""
syntax = marker=<string>
[collect-run-in-preview]
description = controls whether this command is enabled during preview generation. Generally you do not
want to insert preview results into the summary index - that is why this defaults to false.
However, in some rare cases, such as when a custom search command is used as part of the search
to ensure correct summary-indexable previews are generated, this flag can be turned on.
(defaults to false)
syntax = run_in_preview=<bool>
[collect-source]
description = The name of the source that you want to specify for the events.
syntax = source=<string>
[collect-sourcetype]
description = The name of the source type that you want to specify for the events.
By specifying a sourcetype outside of stash, you will incur license usage.
syntax = sourcetype=<string>
[collect-spool]
description = If set to true (default is true), the summary indexing file will be written to
Splunk's spool directory, where it will be indexed automatically.
If set to false, file will be written to $SPLUNK_HOME/var/run/splunk, where it will remain
until further administrative actions are taken.
syntax = spool=<bool>
[collect-testmode]
description = toggle between testing and real mode. In testing mode the results are not written
into the new index but the search results are modified to appear as they would if
sent to the index. (defaults to false)
syntax = testmode=<bool>
[column-end]
default = ")"
description = The value to use for the column end.
syntax = <double-quoted-string>
[column-prefix]
default = "("
description = The value to use for the column prefix.
syntax = <double-quoted-string>
[column-separator]
default = "AND"
description = The value to use for the column separator.
syntax = <double-quoted-string>
[comparison-expression]
syntax = <field><cmp><value>|<field> IN <value-list>
[concurrency-command]
appears-in = 4.1
category = reporting
comment1 = Calculate the number of concurrent events for each event start time and emit as field 'foo'
comment2 = Calculate the number of ongoing http requests at the start time of each http request in a splunk access log
commentcheat = Calculate the number of concurrent events using the 'et' field as the start time
and 'length' as the duration.
description = If each event represents something that occurs over a span of time, where that
span is specified in the duration field, calculate the number of concurrent events
for each event start time. An event X is concurrent with event Y if
the X start time, X.start, lies between Y.start and (Y.start + Y.duration).
In other words, the concurrent set of events is calculated for each event start time,
and that number is attached to the event.
The units of start and duration are assumed to be the same. If you have different
units, you will need to convert them to corresponding units prior to using the concurrency
command.
Unless specified, the start field is assumed to be _time and the output field will
be 'concurrency'
Limits: If concurrency exceeds limits.conf [concurrency] max_count
(Defaults to 10 million), results will not be accurate.
example1 = ... | concurrency duration=total_time output=foo
example2 = ... | eval spent_in_seconds = spent / 1000 | concurrency duration=spent_in_seconds
examplecheat = ... | concurrency duration=length start=et
maintainer = steveyz
related = timechart
shortdesc = Given a duration field, finds the number of "concurrent" events for each event.
syntax = concurrency duration=<field> (start=<field>)? (output=<field>)?
tags = concurrency
usage = public
[connected-opt]
default = connected=t
description = Relevant iff fields is not empty. Controls whether an event that is not inconsistent and not consistent
with the fields of a transaction, opens a new transaction (connected=t) or is added to the transaction.
An event can be not inconsistent and not consistent if it contains fields required by the transaction
but none of these fields has been instantiated in the transaction (by a previous event addition).
syntax = connected=<bool>
[content_type-option]
default = Refer to the email.content_type in the alert_actions.conf file.
description = The content type of the email. Plain sends email as plain text and html sends email as a multipart email that include both text and html.
syntax = content_type=html | plain
[contingency-command]
alias = counttable, ctable
appears-in = 3.0
category = reporting
comment1 = Build a contingency table for fields "host" and "sourcetype".
commentcheat = Build a contingency table of "datafields" from all events.
description = In statistics, contingency tables are used to record
and analyze the relationship between two or more (usually categorical) variables. Many metrics of
association or independence can be calculated based on contingency tables, such as the phi
coefficient or the V of Cramer.
example1 = ... | contingency host sourcetype
examplecheat = ... | contingency datafield1 datafield2 maxrows=5 maxcols=5 usetotal=F
maintainer = steveyz
related = associate, correlate
shortdesc = Builds a contingency table for two fields.
syntax = contingency (<contingency-option> )* <field> <field>
tags = associate contingency correlate connect link correspond dependence independence
usage = public
[contingency-maxopts]
default = ("maxrows=0" | "maxcols=0")
description = Maximum number of rows or columns. If the number of distinct values of the field exceeds this maximum,
the least common values will be ignored. There is a ceiling on the values permitted for maxrows and maxcols
from limits.conf, [ctable] stanza maxvalues. This limit defaults to 1000. Values for over this will be rejected
and values of 0 for these settings mean to use this maxvalues setting.
syntax = (maxrows|maxcols)=<int>
[contingency-mincover]
default = ("mincolcover=1.0" | "minrowcover=1.0")
description = Cover only this percentage of values for the row or column field. If the number of entries needed to
cover the required percentage of values exceeds maxrows or maxcols, maxrows or maxcols takes precedence.
syntax = (mincolcover|minrowcover)=<num>
[contingency-option]
description = Options for the contingency table
syntax = <contingency-maxopts>|<contingency-mincover>|<contingency-usetotal>|<contingency-totalstr>
[contingency-totalstr]
default = "totalstr=TOTAL"
description = Field name for the totals row/column
syntax = totalstr=<field>
[contingency-usetotal]
default = "usetotal=true"
description = Add row and column totals
syntax = usetotal=<bool>
[convert-auto]
description = Automatically convert the field(s) to a number using the best conversion.
Note that if not all values of a particular field can be converted using a known conversion type,
the field is left untouched and no conversion at all in done for that field.
example1 = ... | convert auto(*)
example2 = ... | convert auto
example3 = ... | convert auto()
example4 = ... | convert auto(delay) auto(xdelay)
example5 = ... | convert auto(delay) as delay_secs
example6 = ... | convert auto(*delay) as *delay_secs
example7 = ... | convert auto(*) as *_num
syntax = auto("(" (<wc-field>)? ")")?
[convert-command]
appears-in = 3.0
category = fields::convert
commentcheat1 = Convert every field value to a number value except for values in the field "foo" (use the "none" argument to specify fields to ignore).
commentcheat2 = Change all memory values in the "virt" field to Kilobytes.
commentcheat3 = Change the sendmail syslog duration format (D+HH:MM:SS) to seconds. For example, if "delay="00:10:15"", the resulting value will be "delay="615"".
commentcheat4 = Convert values of the "duration" field into number value by removing string values in the field value. For example, if "duration="212 sec"", the resulting value will be "duration="212"".
description = Converts the values of fields into numerical values. When renaming a field using "as", the original field is left intact. The timeformat option is used by ctime and mktime conversions. Default = "%m/%d/%Y %H:%M:%S".
examplecheat1 = ... | convert auto(*) none(foo)
examplecheat2 = ... | convert memk(virt)
examplecheat3 = ... | convert dur2sec(delay)
examplecheat4 = ... | convert rmunit(duration)
maintainer = steveyz
related = eval
shortdesc = Converts field values into numerical values.
simplesyntax = convert (timeformat=<string>)? ( (auto|dur2sec|mstime|memk|none|num|rmunit|rmcomma|ctime|mktime) "(" <field>? ")" (as <field>)?)+
syntax = convert (timeformat=<string>)? (<convert-function> (as <wc-field>)?)+
tags = interchange transform translate convert ctime mktime dur2sec mstime memk
usage = public
[convert-ctime]
description = Convert an epoch time to an ascii human readable time. Use timeformat option to specify exact format to convert to.
example1 = ... | convert timeformat="%H:%M:%S" ctime(_time) as timestr
syntax = ctime"("<wc-field>?")"
[convert-dur2sec]
description = Convert a duration format "[D+]HH:MM:SS" to seconds.
example1 = ... | convert dur2sec(xdelay)
example2 = ... | convert dur2sec(*delay)
syntax = dur2sec"("<wc-field>?")"
[convert-function]
syntax = <convert-auto>|<convert-dur2sec>|<convert-mstime>|<convert-memk>|<convert-none>|<convert-num>|<convert-rmunit>|<convert-rmcomma>|<convert-ctime>|<convert-mktime>
[convert-memk]
description = Convert a {KB, MB, GB} denominated size quantity into a KB
example1 = ... | convert memk(VIRT)
syntax = memk"(" <wc-field>? ")"
[convert-mktime]
description = Convert an human readable time string to an epoch time. Use timeformat option to specify exact format to convert from.
example1 = ... | convert mktime(timestr)
syntax = mktime"("<wc-field>?")"
[convert-mstime]
description = Convert a MM:SS.SSS format to seconds.
syntax = mstime"(" <wc-field>? ")"
[convert-none]
description = In the presence of other wildcards, indicates that the matching fields should not be converted.
example1 = ... | convert auto(*) none(foo)
syntax = none"(" <wc-field>? ")"
[convert-num]
description = Like auto(), except non-convertible values are removed.
syntax = num"("<wc-field>? ")"
[convert-rmcomma]
description = Removes all commas from value, e.g. '1,000,000.00' -> '1000000.00'
syntax = rmcomma"("<wc-field>? ")"
[convert-rmunit]
description = Looks for numbers at the beginning of the value and removes trailing text.
example1 = ... | convert rmunit(duration)
syntax = rmunit"(" <wc-field>? ")"
[copyresults-command]
appears-in = 4.0
description = Copies the results of a search to a specified location within the config directory structure. This command is primarily used to populate lookup tables.
example1 = ... | copyresults dest=etc/system/local/lookups/myLookupTable.csv
maintainer = ledion
syntax = copyresults <copyresults-dest-option> <copyresults-sid-option>
usage = internal
[copyresults-dest-option]
description = The destination file where to copy the results to. The string is interpreted as path relative
to SPLUNK_HOME and (1) should point to a .csv file and (2) the file should be located either
in etc/system/lookups/ or etc/apps/<app-name>/lookups/
syntax = dest=<string>
[copyresults-sid-option]
description = The search id of the job whose results are to be copied. Note, the user who is running this
command should have permission to the job pointed by this id.
syntax = sid=<string>
[correlate-command]
appears-in = 3.0
category = reporting
comment1 = Calculate the correlation between all fields.
commentcheat = Calculate the co-occurrence correlation between all fields.
description = Calculates a co-occurrence matrix, which contains the percentage of times that two
fields exist in the same events. The RowField field contains the name of the field considered
for the row, while the other column names (fields) are the fields it is being compared against.
Values are the ratio of occurrences when both fields appeared to occurrences when only one field appeared.
example1 = ... | correlate
examplecheat = ... | correlate
maintainer = steveyz
related = associate, contingency
shortdesc = Calculates the correlation between different fields.
syntax = correlate
tags = associate contingency correlate connect link correspond dependence independence
usage = public
[count-opt]
description = The maximum number of results to return
example = count=10
syntax = count=<int>
[count-option]
description = The number of empty results to generate
syntax = count=<int>
[createrss-command]
appears-in = 3.0
category = alerting
description = If the RSS feed does not exist, it creates one. The arguments are as follow \i\
PATH - the path of the rss feed (no ../ allowed) can be accessed via http://splunk/rss/path \i\
NAME - the name/title of the rss item to add \i\
LINK - link where the rss item points to \i\
DESCR - the description field of the rss item \i\
COUNT - maximum number of items in the rss feed when reached last items is dropped \i\
GRACEFUL - (optional) controls whether on error an exception is raised or simply logged - this is \i\
useful when you don't want createrss to break the search pipeline
maintainer = ledion
related = sendemail
shortdesc = Adds the RSS item into the specified RSS feed.
syntax = createrss path=<string> name=<string> link=<string> descr=<string> count=<int> (graceful=<bool>)?
usage = internal
[datamodel-command]
appears-in = 6.0
category = results::filter
comment1 = Return JSON for all data models available in the current app context.
comment2 = Return JSON for the internal_server data model.
comment3 = Return JSON for the scheduler dataset within the internal_server
data model.
comment4 = Run the search represented by the scheduler dataset within the
internal_server data model.
description = Must be the first command in a search. When used with no
arguments, returns the JSON for all data models available in the
current context. When used with just a modelName, returns the
JSON for a single data model. When used with a modelName and
objectName, returns the JSON for a single data model dataset.
When used with modelName, objectName and 'dm-search-mode', runs
the search for the specified search mode.
example1 = | datamodel
example2 = | datamodel internal_server
example3 = | datamodel internal_server scheduler
example4 = | datamodel internal_server scheduler search
maintainer = aneels
related = from, pivot
shortdesc = Allows users to examine data models and search data model datasets.
syntax = datamodel (<modelName>)? (<objectName>)? (<dm-search-mode>)?
tags = datamodel model pivot
usage = public
[dataset]
syntax = <named-dataset> | <unnamed-dataset>
[dataset-name]
description = dataset name
syntax = <string>
[dataset-type]
description = Type of a named dataset.
syntax = (datamodel|savedsearch|inputlookup)
[daysago]
description = Search the last N days. ( equivalent to startdaysago )
syntax = daysago=<int>
[dbinspect-command]
appears-in = 4.0
category = administrative
comment1 = Display a chart with the span size of 1 day.
description = Returns information about the buckets in the Splunk Enterprise index.
The Splunk Enterprise index is the repository for data from Splunk Enterprise.
As incoming data is indexed, or transformed into events, Splunk Enterprise
creates files of rawdata and metadata (index files). The files reside in sets
of directories organized by age. These directories are called buckets.
When invoked without the bin-span option, information about the buckets
is returned in the following fields:
bucketId, endEpoch, eventCount, guID, hostCount, id, index, modTime, path,
rawSize, sizeOnDiskMB, sourceCount, sourceTypeCount, splunk_server, startEpoch, state,
corruptReason. The corruptReason field only appears when corruptonly=true. \p\
When invoked with a bin span, a table of the spans of each bucket is returned.
example1 = | dbinspect index=_internal span=1d
generating = true
maintainer = meema
related = metadata
shortdesc = Returns information about the buckets in the Splunk Enterprise index.
syntax = dbinspect (<index-opt>)* (<bin-span>|<timeformat>)? (corruptonly=<bool>)?
tags = inspect index bucket
usage = public beta
[debug-command]
appears-in = Madonna
description = This search command can be used to issue debug commands to the system.
example1 = | debug cmd=roll index=_internal
maintainer = brian
shortdesc = Performs a debug command.
syntax = debug cmd=<debug-method> param1=<string> param2=<string> <index-specifier>
tags = debug roll
usage = debug
[debug-method]
description = The available commands for debug command
syntax = optimize|roll|logchange|validate|delete|sync|sleep|rescan
[dedup-command]
appears-in = 3.2
category = results::filter
comment1 = For events that have the same 'source' value, keep the first 3 that occur and remove all subsequent events.
comment2 = Remove duplicates of results with the same source value and sort the events by the '_time' field in ascending order.
comment3 = Remove duplicates of results with the same source value and sort the events by the '_size' field in descending order.
commentcheat = Remove duplicates of results with the same host value.
description = Keep the first N (where N > 0) results for each combination of values for the specified field(s)
The first argument, if a number, is interpreted as N. If this number is absent, N is assumed to be 1.
The optional sortby clause is equivalent to performing a sort command before the dedup command except that it is executed more efficiently. The keepevents flag will keep all events, but for events with duplicate values, remove those fields values instead of the entire event. \p\
Normally, events with a null value in any of the fields are dropped. The keepempty
flag will retain all events with a null value in any of the fields.
example1 = ... | dedup 3 source
example2 = ... | dedup source sortby +_time
example3 = ... | dedup group sortby -_size
examplecheat = ... | dedup host
maintainer = steveyz
related = uniq
shortdesc = Removes events which contain an identical combination of values for selected fields.
syntax = dedup (<int>)? <field-list> (<dedup-keepevents>)? (<dedup-keepempty>)? (<dedup-consecutive>)? (sortby <sort-by-clause>)?
tags = duplicate redundant extra
usage = public beta
[dedup-consecutive]
default = "consecutive=f"
description = Only eliminate events that are consecutively duplicate
syntax = consecutive=<bool>
[dedup-keepempty]
default = "keepempty=f"
description = If an event contains a null value for one or more of the specified fields, the event is either
retained (if keepempty=true) or discarded (default).
syntax = keepempty=<bool>
[dedup-keepevents]
default = "keepevents=f"
description = Keep all events, remove the fields from field-list in the duplication case instead
syntax = keepevents=<bool>
[default]
[delegate-opt]
description = When specifying a savedsearch, this option selects jobs that were started by the given user.
Scheduled jobs will be run by the delegate "scheduler". Dashboard-embedded searches will be
run in accordance with the dispatchAs parameter (typically the owner of the search) for the
savedsearch.
Defaults to scheduler.
example = job_delegate=scheduler
syntax = job_delegate=<string>
[delete-command]
appears-in = 4.0
description = Piping a search to the delete operator marks all the events returned by that search so that they are never returned by any later search. No user (even with admin permissions) will be able to see this data using Splunk.
The delete operator can only be accessed by a user with the "delete_by_keyword" capability. By default, Splunk ships with a special role, "can_delete" that has this capability (and no others). The admin role does not have this capability by default. Splunk recommends you create a special user that you log into when you intend to delete index data.
To use the delete operator, run a search that returns the events you want deleted. Make sure that this search ONLY returns events you want to delete, and no other events. Once you've confirmed that this is the data you want to delete, pipe that search to delete.
Note: The delete operator will trigger a roll of hot buckets to warm in the affected index(es).
maintainer = brian
shortdesc = Deletes (makes irretrievable) events from Splunk indexes.
syntax = delete
tags = delete hide
usage = public
[delim-opt]
default = delim=" "
description = A string used to delimit the original event values in the transaction event fields.
syntax = delim=<string>
[delta-command]
appears-in = 4.0
category = fields::add
comment1 = For each event where 'count' exists, compute the difference between count and its previous value and store the result in 'countdiff'.
comment2 = Compute the difference between current value of count and the 3rd previous value of count and store the result in 'delta(count)'
description = For each event where <field> is a number, compute the difference, in search order, between the current event's value of <field> and a previous event's value of <field> and write this difference into <field:newfield>. If <newfield> if not specified, it defaults to "delta(<field>)" If p is unspecified, the default = 1, meaning the the immediate previous value is used. p=2 would mean that the value before the previous value is used, etc etc etc.
example1 = ... | delta count as countdiff
example2 = ... | delta count p=3
maintainer = steveyz
note = Historical search order is from new events to old events, so values ascending over time will show negative deltas, and vice versa. Realtime search is in the incoming data order, so delta can produce odd values for data which arrives out-of-order from the original data order (eg. when files are acquired out-of-order on forwarders).
related = accum, autoregress, streamstats, trendline
shortdesc = Computes the difference in field value between nearby results.
syntax = delta <field> (as <field:newfield>)? (p=<int>)?
tags = difference delta change distance
usage = public
[diff-command]
appears-in = 3.0
category = formatting
comment1 = Compare the 9th search results to the 10th
commentcheat = Compare the "ip" values of the first and third search results.
default = diff position1=1 position2=2 attribute=_raw header=f context=f
description = Compares a field from two search results, returning the line-by-line 'diff' of the two.
The two search results compared is specified by the two position values (position1 and position2),
hich default to 1 and 2 (i.e., compare the first two results). \p\
By default, the text of the two search results (i.e., the "_raw" field) are compared,
but other fields can be compared, using 'attribute'. \p\
If 'diffheader' is true, the traditional diff headers are created using the source keys
of the two events as filenames. 'diffheader' defaults to false. \p\
If 'context' is true, the output is generated in context-diff format. Otherwise, unified diff format is used.
'context' defaults to false (unified). \p\
If 'maxlen' is provided, it controls the maximum content in bytes diffed from the two events.
It defaults to 100000, meaning 100KB, if maxlen=0, there is no limit.
example1 = ... | diff position1=9 position2=10
examplecheat = ... | diff pos1=1 pos2=3 attribute=ip
maintainer = david
related = set
shortdesc = Returns the difference between two search results.
syntax = diff (position1=<int>)? (position2=<int>)? (attribute=<string>)? (diffheader=<bool>)? (context=<bool>)? (maxlen=<int>)?
tags = diff differentiate distinguish contrast
usage = public
[dispatch-command]
appears-in = 3.2
description = Encapsulates long running, streaming reports. \i\
"id" is the directory in which to place the results relative to $SPLUNK_HOME/var/run/splunk/dispatch.\i\
"maxresults" is the maximum number of final results to return from the search-pipeline\i\
"maxtime" is the maximum time (in seconds) to spend on the search before finalizing\i\
"ttl" represents the number of the seconds the results of the dispatched search-pipeline will live on\i\
disk before being cleaned up\i\
"spawn_process" controls if the search should run in a separate spawned process ( defaults to true ).\i\
"start_time" set the search's start/earliest time\i\
"end_time" set the search's end/latest time\i\
"label" set the search's label
example1 = | dispatch [search | stats count]
example2 = | dispatch id=foo [search | top source]
example3 = | dispatch server1 server2 [search | top host]
maintainer = ssorkin
optout-in = lite, lite_free
syntax = dispatch (ttl=<num>)? (maxresults=<num>)? (maxtime=<num>)? (id=<string>)? (spawn_process=<bool>)? (label=<string>)? (start_time=<num>)? (end_time=<num>)? <server-list> [<search-pipeline>]
usage = internal
[dm-search-execute-mode]
description = The 'search' mode runs the data model search exactly how it is
defined. The 'flat' mode runs the data model search exactly
like 'search' mode, with the exception that it strips the
hierarchical names from the fields in the results. For example,
the 'search' mode result 'dmObject.fieldname' is output simply
as 'fieldname' when the same search is run in 'flat' mode. The
'acceleration_search' mode runs the same search that is
executed when the data model is accelerated. The
acceleration_search' mode only works on root event objects and
root search objects that use only streaming commands.
shortdesc = The available commands for executing a search on a defined
data model and data model object.
syntax = search|flat|acceleration_search
[dm-search-mode]
description = The available commands for searching on a defined data model
and data model object.
syntax = <dm-search-execute-mode>|<dm-search-string-mode>
[dm-search-string-mode]
description = Each of these modes simply outputs the search string that is
run when using the corresponding dm-search-execute-mode.
shortdesc = The available commands for inspecting the search string that
is run by the defined data model and data model object.
syntax = search_string|flat_string|acceleration_search_string
[dump-command]
category = exporting
comment1 = Export all events from the index "bigdata" to the location "YYYYmmdd/HH/host"
at the "$SPLUNK_HOME/var/run/splunk/dispatch/&lt;sid&gt;/dump/" directory on local disk with "MyExport"
as the prefix of export filenames. Partitioning of the export data is achieved by eval preceding the dump command.
comment2 = Export all events from the index "bigdata" to the location "/myexport/host/source" on
local disk with "MyExport" as the prefix of export filenames
description = Runs a given search query and exports events to a set of chunk files on local disk.
This command runs a specified search query and oneshot export search results to local disk
at "$SPLUNK_HOME/var/run/splunk/dispatch/&lt;sid&gt;/dump". It recognizes a special field
in the input events, _dstpath, which if set will be used as a path to be appended to dst
to compute final destination path. \i\
"basefilename" - prefix of the export filename. \i\
"rollsize" - minimum file size at which point no more events are written to the file and \i\
it becomes a candidate for HDFS transfer, unit is "MB", default "64MB". \i\
"compress" - gzip compression level from 0 to 9, 0 means no compression, higher number \i\
means more compression and slower writing speed, default 2. \i\
"format" - output data format, supported values are raw | csv | tsv | json | xml \i\
"fields" - list of splunk event fields exported to export data, invalid fields will be ignored \i\
example1 = index=bigdata | eval _dstpath=strftime(_time, "%Y%m%d/%H") + "/" + host | dump basefilename=MyExport
example2 = index=bigdata | dump basefilename=MyExport
shortdesc = Runs a given search query and export events to a set of chunk files on local disk.
syntax = dump basefilename=<string> (rollsize=<num>)? (compress=<int>)? (format=<string>)? (fields=<comma-delimited-string>)?
usage = internal
[earliesttime]
description = Specify the earliest _time for the time range of your search. You can specify an exact time (earliest="11/5/2016:20:00:00") or a relative time (earliest=-h or earliest=@w0).
syntax = earliest=<time_modifier>
[editinfo-command]
appears-in = 3.x
category = formatting
description = Edit information in SearchResultsInfo.
maintainer = steveyz
optout-in = lite, lite_free
related = editinfo
syntax = editinfo ((keyset|starttime|endtime|msg_error|msg_warn|msg_info|msg_debug)=<string>)*
tags = editinfo
usage = internal
[email_address]
example1 = bob@smith.com
syntax = <string>
[email_list]
example1 = "bob@smith.com, elvis@presley.com"
syntax = <email_address> (, <email_address> )*
[end-opt]
default =
description = A search or eval expression which if satisfied by an event marks the end of a transaction
example1 = endswith="logout"
example2 = endswith=(username=foobar)
example3 = endswith=eval(speed_field > max_speed_field)
example4 = endswith=eval(speed_field > max_speed_field/12)
syntax = endswith=<transam-filter-string>
[enddaysago]
description = A short cut to set the end time. endtime = now - (N days)
syntax = enddaysago=<int>
[endhoursago]
description = A short cut to set the end time. endtime = now - (N hours)
syntax = endhoursago=<int>
[endminutesago]
description = A short cut to set the end time. endtime = now - (N minutes)
syntax = endminutesago=<int>
[endmonthsago]
description = A short cut to set the start time. starttime = now - (N months)
syntax = endmonthsago=<int>
[endtime]
description = All events must be earlier or equal to this time.
syntax = endtime=<string>
[endtimeu]
description = Set the end time to N seconds since the epoch. ( unix time )
syntax = endtimeu=<num>
[erex-command]
appears-in = 4.0
category = fields::add
comment1 = Extracts out values like "7/01", putting them into the "monthday" attribute.
comment2 = Extracts out values like "7/01" and "7/02", but not patterns like "99/2", putting extractions into the "monthday" attribute.
description = Example-based regular expression
extraction. Automatically extracts field values from FROMFIELD
(defaults to _raw) that are similar to the EXAMPLES
(comma-separated list of example values) and puts them in FIELD.
An informational message is output with the resulting regular expression.
That expression can then be used with the REX command for
more efficient extraction. To learn the extraction rule for
pulling out example values, it learns from at most MAXTRAINERS
(defaults to 100, must be between 1-1000).
example1 = ... | erex monthday examples="7/01"
example2 = ... | erex monthday examples="7/01, 07/02" counterexamples="99/2"
maintainer = david
related = extract, kvform, multikv, regex, rex, xmlkv
shortdesc = Automatically extracts field values similar to the example values.
syntax = erex <field> examples=<erex-examples> (counterexamples=<erex-examples>)? (fromfield=<field>)? (maxtrainers=<int>)?
tags = regex regular expression extract
usage = public
[erex-examples]
comment1 = examples are foo and bar
example1 = "foo, bar"
syntax = ""<string>(, <string> )*""
[eval-bool-exp]
syntax = (NOT|!)? (<eval-compare-exp>|<eval-function-call>) ((AND|OR|XOR) <eval-expression>)*
[eval-command]
appears-in = Madonna
category = fields::add
comment1 = Set full_name to the concatenation of first_name, a space, and last_name.
Lowercase full_name. An example of multiple eval expressions, separated by a comma.
comment2 = Set sum_of_areas to be the sum of the areas of two circles
comment3 = Set status to some simple http error codes.
comment4 = Set status to OK if error is 200; otherwise, Error.
comment5 = Set lowuser to the lowercase version of username.
commentcheat = Set velocity to distance / time.
description = Performs an arbitrary expression evaluation, providing mathematical, string, and boolean operations. The results of eval are written to a specified destination field, which can be a new or existing field. If the destination field exists, the values of the field are replaced by the results of eval. The syntax of the expression is checked before running the search, and an exception will be thrown for an invalid expression. For example, the result of an eval statement is not allowed to be boolean. If search time evaluation of the expression is unsuccessful for a given event, eval erases the value in the result field.
example1 = ... | eval full_name = first_name." ".last_name, low_name = lower(full_name)
example2 = ... | eval sum_of_areas = pi() * pow(radius_a, 2) + pi() * pow(radius_b, 2)
example3 = ... | eval error_msg = case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")
example4 = ... | eval status = if(error == 200, "OK", "Error")
example5 = ... | eval lowuser = lower(username)
examplecheat = ... | eval velocity=distance/time
maintainer = marquardt
related = where
shortdesc = Calculates an expression and puts the resulting value into a field. You can specify to calculate more than one expression.
syntax = eval <eval-field>=<eval-expression> ("," <eval-field>=<eval-expression>)*
tags = evaluate math string bool formula calculate compute abs case cidrmatch coalesce commands exact exp floor if ifnull isbool isint isnotnull isnull isnum isstr len like ln log lower match max md5 min mvappend mvcount mvindex mvfilter mvjoin mvsort mvdedup now null nullif pi pow random relative_time replace round searchmatch sigfig split sqrt strftime strptime substr time tostring trim ltrim rtrim typeof upper urldecode validate
usage = public
[eval-compare-exp]
syntax = (<field>|<string>|<num>) ("<"|">"|"<"=|">"=|!=|=|==|LIKE) <eval-expression>
[eval-concat-exp]
comment = create a new field by concatenating the field first_name, a space character, and the field last_name.
description = concatenate fields and strings
example = first_name." ".last_nameSearch
syntax = ((<field>|<string>|<num>) (. <eval-expression>)*)|((<field>|<string>) (+ <eval-expression>)*)
[eval-expression]
description = A combination of literals, fields, operators, and functions that represent the value of your destination field. The following are the basic operations you can perform with eval. For these evaluations to work, your values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations may not produce valid results if the values are not numerical. For addition, Splunk can concatenate the two operands if they are both strings. When concatenating values with '.', Splunk treats both values as strings regardless of their actual type.
syntax = <eval-math-exp> | <eval-concat-exp> | <eval-compare-exp> | <eval-bool-exp> | <eval-function-call>
tags = eval evaluate calculate add subtract sum count measure multiply divide where
[eval-field]
description = A field name for your evaluated value.
example = velocity
syntax = <field>
tags = eval evaluate calculate add subtract sum count measure multiply divide
[eval-function]
comment1 = Takes a number and returns its absolute value.
comment10 = Takes three arguments, the first being a boolean expression. The function returns the second argument if it evaluates to true, and the third otherwise.
comment11 = Takes one argument, returning true iff the argument is boolean. There are corresponding functions for numbers (isnum), integers (isint), strings (isstr), and null (isnull).
comment12 = Takes one argument, returning true iff the field is not null. A useful check for whether the field contains a value.
comment13 = Takes one string argument, returning the length of the string. In this example it would return the length of the string in field.
comment14 = Takes two string arguments, returning true iff the first argument is like the SQLite pattern in the second argument. This example returns true if the field value starts with foo.
comment15 = Takes a number and returns its natural log.
comment16 = Takes either one or two numeric arguments, returning the log of the first argument using the base provided by the second argument, in this case log of number base 2. The default base is 10 if the second argument is omitted.
comment17 = Takes one string argument and returns the lowercase version, in this example lowercasing the value provided by the field username. The upper function also exists for returning the uppercase version.
comment18 = Takes two string arguments, and returns true iff the first argument matches the regex provided by the second argument. This example returns true iff field matches the basic pattern of an ip address. Note that the example used ^ and $ to perform a full match.
comment19 = Takes an arbitrary number of number and string arguments and returns the max, with strings being greater than numbers. So this example will return either "foo" or field, depending on the value of field. The corresponding min function also exists.
comment2 = Takes an even number of arguments with arguments 1,3,5, etc. being boolean expressions. The function returns the argument following the first expression that evaluates to true, defaulting to NULL if none are true.
comment20 = Takes one string argument and returns its md5 hash value as a string, in this case returning the hash of field's value.
comment21 = Takes a field argument, returning the number of values if the field is multivalued, one if the field is single valued and has a value, and null otherwise.
comment22 = Takes two or three arguments, the first being a field and the second two being numbers, which returns a subset of the multivalued field using the indexes provided. For mvindex(mvfield, startindex, [endindex]) endindex is inclusive and optional. Both start and endindex can be negative, where -1 = last element, and if endindex is not specified, it returns just the value at startindex. If the indexes are out of range or invalid, the result is null. Since indexes start at zero, this example returns the third value in multifield if it exists.
comment23 = Takes one argument which is a boolean expression that references EXACTLY one field. It returns that multivalued field filtered by the given expression, so this example will return all values of the field email that end in .net or .org.
comment24 = This function tries to find a value in multivalue field X that matches the regular expression REGEX. If a match exists, the index of the first matching value is returned (beginning with zero). If no values match, NULL is returned.
comment25 = Takes no arguments and returns the time that the search was started, in unix time (seconds since epoch).
comment26 = Takes no arguments and returns null, which is how the evaluation engine represents no value. Setting a field to null will clear its value.
comment27 = Takes two arguments, returning the first argument if the arguments are different, and null otherwise.
comment28 = Takes no arguments, returning the pi constant to 11 digits of precision.
comment29 = Takes two numeric arguments, returning x^y
comment3 = This function takes a number and rounds it up to the next highest integer, which in this example is 2.
comment30 = Takes no arguments, returns a pseudo-random number.
comment31 = Takes three arguments - replace(input_string, regex_pattern_to_replace, replacement_string) returns the input string with all instances of the regex pattern replaced with the replacement string. You can also include matched groups in the third argument by escaping the group number matched. The example returns date with the month and day numbers switched, so if the input was 1/12/2009 the return value would be 12/1/2009.
comment32 = Takes one or two numeric arguments, returning the first argument rounded to the amount of decimal places specified by the second. The default is to round to an integer, so the example would return 4. round(2.555, 2) would return 2.56.
comment33 = Takes one argument, which is a search string. The function returns true iff the event matches the search string.
comment34 = Takes one string argument and returns its sha1 hash value based on the FIPS compliant SHA-1 hash function as a string, in this case returning the hash of field's value.
comment35 = Takes one string argument and returns its sha256 hash value based on the FIPS compliant SHA-256 hash function as a string, in this case returning the hash of field's value.
comment36 = Takes one string argument and returns its sha512 hash value based on the FIPS compliant SHA-512 hash function as a string, in this case returning the hash of field's value.
comment37 = Takes one numeric argument and returns its square root, in this example it would be 3.
comment38 = Takes either two or three arguments - the first is a string and the last two are numeric. The function returns a substring of the first argument starting at the index specified by the second argument with the number of characters specified by the third. If a third argument is not given, it returns the rest of the string. The indexes follow SQLite semantics in that they start at 1 and negative indices can be used, which start from the end of the string. The example concatenates "str" and "ing" together, returning "string"
comment39 = Takes one or two arguments, returning a string representation of the first argument with optional formatting for numbers. For numbers you can specify "hex" or "commas" as a second argument to format the number accordingly. The return value for this example is "True 0xF 12,345.68".
comment4 = Takes two arguments, the first being the subnet to match and the second being an ip address. This boolean function returns true if the ip matches the valid subnet, or false otherwise.
comment40 = Takes one or two string arguments, and returns the first string with the characters in the second argument trimmed from both sides. If no second argument is specified, spaces and tabs are trimmed. This example returns "abc". There are also ltrim and rtrim functions for trimming only the left and right sides, respectively.
comment41 = This function enables you to specify a conditional that is obviously true, for example 1==1. You do not specify a field with this function.
comment42 = Takes one argument and returns a string representation of its type. The example result is NumberStringBoolInvalid.
comment43 = Takes one string argument and returns the url decoded. The example result is "http://www.splunk.com/download?r=header".
comment44 = Takes an even number of arguments like case(), with odd arguments being boolean expressions. The even arguments are strings, and the function returns the string corresponding to the first expression that evaluates to false, or null if all checks pass. The example runs a simple check for valid ports.
comment45 = takes a splunk search and returns a multivalued field contain a list of commands used in that search
comment46 = Takes a UTC time as the first argument and a relative time specifier as the second argument and returns the UTC time of that relative time applied to the first arugment.
comment47 = Takes a UTC time as the first argument and renders it as a string using the format specified by the second argument
comment48 = Takes a string time representing and parses it using the format specified by the second argument, returning a UTC time
comment49 = Returns the current wall-clock time with microsecond resolution. Will be different for each event based on when that event was processed by eval.
comment5 = Takes any number of arguments and returns the first value that is not null. The ifnull function does the exact same thing, so both names are acceptable.
comment50 = Join together individual values of a multi-valued field foo using a semicolon as the delimiter
comment51 = Append the value "bar" and the values of field baz to the values of field foo and return as multi-valued. foo and baz could either be multi or single valued field.
comment52 = Split the value(s) of field foo on the delimiter ';' and returns as multi-valued
comment53 = Try to find a value in the multivalued field "mymvfield" matching the regex "err\d+". The index of the first matching value is returned (zero indexed). If no values match, null is returned.
comment54 = Display number with the correct number of significant figures.
comment55 = Extract the data at path "path" from "input". May result in a multivalued field.
comment56 = Combine 2 multivalue fields by stitching together the first value of one field with the first value of another field, then the second with the second, and so forth. Similar to python's zip command
comment57 = create a multivalued field with the values 1,3,5,7,9. The first argument is the starting number, second is ending number (exclusive) and the third number, which is optional is the step increment.
comment58 = Takes a multivalued field as input and returns a multivalued field with its duplicate values removed
comment59 = Takes a multivalued field as input and returns a multivalued field with its values sorted lexicographically
comment6 = Takes a number as its argument, and returns the exact value of the result without truncating for significant figures or precision. Uses double precision.
comment60 = This function computes the arc cosine of X, in the interval [0,pi] radians.
comment61 = This function computes the arc hyperbolic cosine of X, in radians.
comment62 = This function computes the arc sine of X, in the interval [-pi/2,+pi/2] radians.
comment63 = This function computes the arc hyperbolic sine of X, in radians.
comment64 = This function computes the arc tangent of X, in the interval [-pi/2,+pi/2] radians.
comment65 = This function computes the arc tangent of Y, X in the interval [-pi,+pi] radians. Y is a value that represents the proportion of the y-coordinate. X is the value that represents the proportion of the x-coordinate. To compute the value, the function takes into account the sign of both arguments to determine the quadrant.
comment66 = This function computes the arc hyperbolic tangent of X, in radians.
comment67 = This function computes the cosine of an angle of X radians.
comment68 = This function computes the hyperbolic cosine of X radians.
comment69 = This function computes the hypotenuse of a right-angled triangle whose legs are X and Y. The function returns the square root of the sum of the squares of X and Y, as described in the Pythagorean theorem.
comment7 = Takes a number x and returns e^x.
comment70 = This function computes the sine.
comment71 = This function computes the hyperbolic sine.
comment72 = This function computes the tangent.
comment73 = This function computes the hyperbolic tangent.
comment8 = This function enables you to specify a conditional that is obviously false, for example 1==0. You do not specify a field with this function.
comment9 = Takes a number x and returns the floor of x, which in this example is 1.
description = Function used by eval.
example1 = abs(number)
example10 = if(error == 200, "OK", "Error")
example11 = isbool(field)
example12 = isnotnull(field)
example13 = len(field)
example14 = like(field, "foo%")
example15 = ln(bytes)
example16 = log(number, 2)
example17 = lower(username)
example18 = match(field, "^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
example19 = max(1, 3, 6, 7, "f"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")oo", field)
example2 = case(error == 404, "Not found", error == 500, "Internal Server Error", error == 200, "OK")
example20 = md5(field)
example21 = mvcount(multifield)
example22 = mvindex(multifield, 2)
example23 = mvfilter(match(email, "\.net$") OR match(email, "\.org$"))
example24 = mvfind(mymvfield, "err\d+")
example25 = now()
example26 = null()
example27 = nullif(fielda, fieldb)
example28 = pi()
example29 = pow(x, y)
example3 = ceiling(1.2)
example30 = random()
example31 = replace(date, "^(\d{1,2})/(\d{1,2})/", "\2/\1/")
example32 = round(3.5)
example33 = searchmatch("foo AND bar")
example34 = sha1(field)
example35 = sha256(field)
example36 = sha512(field)
example37 = sqrt(9)
example38 = substr("string", 1, 3) + substr("string", -3)
example39 = tostring(1==1) + " " + tostring(15, "hex") + " " + tostring(12345.6789, "commas")
example4 = cidrmatch("123.132.32.0/25", ip)
example40 = trim(" ZZZZabcZZ ", " Z")
example41 = true()
example42 = typeof(12) + typeof("string") + typeof(1==2) + typeof(badfield)
example43 = urldecode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader")
example44 = validate(isint(port), "ERROR: Port is not an integer", port >= 1 AND port <= 65535, "ERROR: Port is out of range")
example45 = commands(searchstr_field)
example46 = relative_time(now(), "-1d@d")
example47 = strftime(_time, "%H:%M")
example48 = strptime(timeStr, "%H:%M")
example49 = time()
example5 = coalesce(null(), "Returned value", null())
example50 = mvjoin(foo, ";")
example51 = mvappend(foo, "bar", baz)
example52 = split(foo, ";")
example53 = mvfind(mymvfield, "err\d+")
example54 = sigfig(number)
example55 = spath(input, path)
example56 = mvzip(hosts, ports)
example57 = mvrange(1,11,2)
example58 = mvdedup(mvfield)
example59 = mvsort(mvfield)
example6 = exact(3.14 * num)
example60 = acos(0)
example61 = acosh(2)
example62 = asin(1)
example63 = asinh(1)
example64 = atan(0.50)
example65 = atan2(0.50, 0.75)
example66 = atanh(0.500)
example67 = cos(-1)
example68 = cosh(1)
example69 = hypot(3,4)
example7 = exp(3)
example70 = sin(1)
example71 = sinh(1)
example72 = tan(1)
example73 = tanh(1)
example8 = false()
example9 = floor(1.9)
syntax = abs|case|ceiling|cidrmatch|coalesce|commands|exact|exp|false|floor|if|ifnull|isbool|isint|isnotnull|isnull|isnum|isstr|len|like|ln|log|lower|match|max|md5|min|mvappend|mvcount|mvdedup|mvindex|mvfilter|mvfind|mvjoin|mvrange|mvsort|mvzip|now|null|nullif|pi|pow|random|relative_time|replace|round|searchmatch|sha1|sha256|sha512|sigfig|spath|split|sqrt|strftime|strptime|substr|time|tostring|trim|ltrim|rtrim|true|typeof|upper|urldecode|validate|tonumber|acos|acosh|asin|asinh|atan|atan2|atanh|cos|cosh|hypot|sin|sinh|tan|tanh
[eval-function-call]
syntax = <eval-function> "(" <eval-expression> ("," <eval-expression>)* ")"
[eval-math-exp]
example = pi() * pow(radius_a, 2) + pi() * pow(radius_b, 2)
syntax = (<field>|<num>) ((+|-|*|/|%) <eval-expression>)*
[evaled-field]
description = A dynamically evaled field
syntax = eval "("<eval-expression>")"
[event-id]
description = a splunk internal event id
syntax = <int>:<int>
[eventcount-command]
appears-in = 4.0
category = reporting
comment1 = Return the number of events in the '_internal' index.
comment2 = Gives event count by each index/server pair.
comment3 = Displays event count over all search peers.
description = Returns the number of events in an index. By default, it summarizes the events across all peers and indexes (summarize is True by default). If summarize is False, it splits the event count by index and search peer. If report_size is True (it defaults to False), then it will also report the index size in bytes. If list_vix is False (it defaults to True) then virtual indexes will not be listed.
example1 = | eventcount index=_internal
example2 = | eventcount summarize=false index=*
example3 = | eventcount
maintainer = igor
shortdesc = Returns the number of events in an index.
syntax = eventcount (<index-opt>)* (summarize=<bool>)? (report_size=<bool>)? (list_vix=<bool>)?
tags = count eventcount
usage = public
[eventstats-command]
appears-in = 3.2
category = reporting
comment1 = Compute the overall average duration and add 'avgdur' as a new field to each event where the 'duration' field exists
comment2 = Same as example1 except that averages are calculated for each distinct value of date_hour and the aggregate value that is added to each event is the aggregate that perhaps to the value of date_hour in that event.
description = Generate summary statistics of all existing fields in your search results and save them as values in new fields. Specify a new field name for the statistics results by using the as argument. If you don't specify a new field name, the default field name is the statistical operator and the field it operated on (for example: stat-operator(field)). Just like the 'stats' command except that aggregation results are added inline to each event, and only the aggregations that are pertinent to that event. The 'allnum' option has the same meaning as that option in the stats command. See stats-command for detailed descriptions of syntax.
example1 = ... | eventstats avg(duration) as avgdur
example2 = ... | eventstats avg(duration) as avgdur by date_hour
maintainer = steveyz
related = stats
shortdesc = Adds summary statistics to all search results.
syntax = eventstats (allnum=<bool>)? (<stats-agg-term>)* (<by-clause>)?
tags = stats statistics event
usage = public
[eventtype-specifier]
description = Search for events that match the specified eventtype
syntax = eventtype(=|!=)<string>
[eventtypetag-specifier]
description = Search for events that would match all eventtypes tagged by the string
syntax = eventtypetag(=|!=)<string>
[extract-command]
alias = kv
appears-in = 3.0
category = fields::add
comment1 = Extract field/value pairs that are defined in the transforms.conf stanza 'access-extractions'.
commentcheat1 = Extract field/value pairs and reload field extraction settings from disk.
commentcheat2 = Extract field/value pairs that are delimited by '|' or ';', and values of fields that are delimited by '=' or ':'.
description = Forces field-value extraction on the result set.
example1 = ... | extract access-extractions
examplecheat1 = ... | extract reload=true
examplecheat2 = ... | extract pairdelim="|;", kvdelim="=:", auto=f
maintainer = ledion
note = Use pairdelims & kvdelim to select how to extract data.
related = kvform, multikv, rex, xmlkv
shortdesc = Extracts field-value pairs from search results.
syntax = extract <extract-options>* <extractor-name>*
tags = extract kv field extract
usage = public
[extract-options]
description = Extraction options.
"segment" specifies whether to note the locations of key/value pairs with the results (internal, false).
"reload" specifies whether to force reloading of props.conf and transforms.conf (false).
"kvdelim" string specifying a list of character delimiters that separate the key from the value
"pairdelim" string specifying a list of character delimiters that separate the key-value pairs from each other
"maxchars" specifies how many characters to look into the event (10240).
"mv_add" whether to create multivalued fields. Overrides MV_ADD from transforms.conf
"clean_keys" whether to clean keys. Overrides CLEAN_KEYS from transforms.conf
"keep_empty_vals" whether to keep KV pairs with empty values. Overrides KEEP_EMPTY_VALS from transforms.conf
example1 = reload=true
syntax = (segment=<bool>)|(reload=<bool>)|(kvdelim=<string>)|(pairdelim=<string>)|(limit=<int>)|(maxchars=<int>)|(mv_add=<bool>)|(clean_keys=<bool>)
[extractor-name]
description = A stanza that can be found in transforms.conf
example1 = access-extractions
note = This is used when props.conf did not explicitly cause an extraction
for this source, sourcetype or host.
syntax = <string>
[featureCollection]
description = This option is used to specify the spatial index; the provided string is the index name.
syntax = <string>
[featureIdField]
description = This option is used to specify the field name, when event contains featureId in a field named something other than "featureId".
syntax = featureIdField=<string>
[fieldformat-command]
category = formatting
comment1 = Specify that the start_time should be rendered by taking the value of start_time (assuming it is an epoch number) and rendering it to display just the hours minutes and seconds corresponding that epoch time.
description = Expresses how to render a field at output time without changing the underlying value.
example1 = fieldformat start_time = strftime(start_time, "%H:%M:%S")
maintainer = steveyz
shortdesc = Specifies how to display field values.
syntax = fieldformat <field> = <eval-expression>
tags = field format
usage = public
[fields-command]
appears-in = 3.0
category = fields::filter
comment1 = Keep only the fields 'source', 'sourcetype', 'host', and all fields beginning with 'error'.
commentcheat1 = Keep only the "host" and "ip" fields, and display them in the order: "host", "ip".
commentcheat2 = Remove the "host" and "ip" fields.
description = Keeps or removes fields based on the field list criteria.
If "+" is specified, only the fields that match one of the fields in the list are kept.
If "-" is specified, only the fields that match one of the fields in the list are removed.
example1 = ... | fields source, sourcetype, host, error*
examplecheat1 = ... | fields host, ip
examplecheat2 = ... | fields - host, ip
maintainer = david
note = "_*" is the wildcard pattern for Splunk internal fields.
This is similar to an SQL SELECT statement.
related = rename
shortdesc = Keeps or removes fields from search results.
syntax = fields ("+"|"-")? <wc-field-list>
tags = fields select columns
usage = public
[fields-opt]
default =
description = DEPRECATED: The preferred usage of transaction is for list of fields to be specified directly as arguments. E.g. 'transaction foo bar' rather than 'transaction fields="foo,bar"'
The 'fields' constraint takes a list of fields. For search results to be members of a transaction, for each
field specified, if they have a value, it must have the same value as other members in that transaction.
For example, a search result that has host=mylaptop can never be in the same transaction as a search result
that has host=myserver, if host is one of the constraints. A search result that does not have a host value,
however, can be in a transaction with another search result that has host=mylaptop, because they are not inconsistent.
example1 = fields=host,cookie
syntax = fields=<string>? (,<string>)*
[fieldsummary-command]
appears-in = 5.0
category = reporting
comment1 = Return summaries for all fields
comment2 = Returns summaries for only fields that start with date_ and return only the top 10 values for each field
description = Generates summary information for all or a subset of the fields. Emits a maximum of maxvals distinct values for each field (default = 100).
example1 = ... | fieldsummary
example2 = ... | fieldsummary maxvals=10 date_*
maintainer = steveyz
related = af, anomalies, anomalousvalue, stats
shortdesc = Generates summary information for all or a subset of the fields.
syntax = fieldsummary (maxvals=<num>)? <wc-field-list>?
usage = public
[file-command]
alias = test
appears-in = 3.x
category = results::read
commentcheat = Display events from the file "messages.1" as if the events were indexed in Splunk.
description = If filename is a file, the file command will read the file as if it was indexed in Splunk. If filename is a directory, file will display the list of files in that directory with the option of adding those to the inputs.
examplecheat = | file /var/log/messages.1
maintainer = brian
related = inputcsv
shortdesc = Processes the given file as if it were indexed.
syntax = file <filename>
tags = file index read open preview test input
usage = public
[filldown-command]
appears-in = 4.2
category = fields::modify
comment = Filldown null values for all fields
comment1 = Filldown null values for the count field only
comment2 = Filldown null values for the count field and any field that starts with 'score'
description = Replace null values with the last non-null value for a field or set of fields.
If no list of fields is given, filldown will be applied to all fields.
If there were not any previous values for a field, it will be left blank (null).
example = ... | filldown
example1 = ... | filldown count
example2 = ... | filldown count score*
maintainer = steveyz
related = fillnull
shortdesc = Replace null values with the last non-null value.
syntax = filldown (<wc-field-list>)?
tags = empty default
usage = public
[fillnull-command]
appears-in = 3.0
category = fields::modify
comment = Build a time series chart of web events by host and fill all empty fields with NULL.
comment1 = For the current search results, fill all empty fields with zero.
comment2 = For the current search results, fill all empty fields with NULL.
comment3 = For the current search results, fill all empty field values of "foo" and "bar" with NULL.
description = Replaces null values with a user specified value (default "0").
Null values are those missing in a particular result, but
present for some other result. If a field-list is provided, fillnull
is applied to only fields in the given list (including any fields that
does not exist at all). Otherwise, applies to all existing fields.
example = sourcetype="web" | timechart count by host | fillnull value=NULL
example1 = ... | fillnull
example2 = ... | fillnull value=NULL
example3 = ... | fillnull value=NULL foo bar
maintainer = steveyz
related = eval
shortdesc = Replaces null values with a specified value.
syntax = fillnull (value=<string>)? (<field-list>)?
tags = empty default
usage = public
[findkeywords-command]
appears-in = 6.2
category = reporting
description = Typically run after the "cluster" command or similar. Takes a set of results with a field
("labelfield") that supplies a partition of the results into a set of groups. The command
then derives a search to generate each of these groups, which may be saved as an event type
if applicable.
example1 = ... | findkeywords labelfield=foo
example2 = ... | findkeywords labelfield=foo dedup=true
maintainer = aneels
related = cluster findtypes
shortdesc = Given some integer labeling of events into groups, finds searches to generate those groups.
syntax = findkeywords labelfield=<field> (dedup=<bool>)?
tags = findkeywords cluster patterns findtypes
usage = internal
[findtypes-command]
appears-in = 4.0.5
category = results::group
commentcheat = Discover 50 common event types and add support for looking at text phrases
description = Takes previous search results, and produces a list of
promising searches that may be used as event types. Returns up to MAX
event types, defaulting to 10. If the "notcovered" keyword is
specified, then event types that are already covered by other
eventtypes are not returned. At most 5000 events are analyzed for
discovering event types. If the "useraw" keyword is specified, then
phrases in the _raw text of the events is used for generating event
types.
examplecheat = ... | findtypes max=50 useraw
maintainer = david
note = replacement for typelearner
related = typer,typelearner
shortdesc = Generates suggested event types.
syntax = findtypes max=<int> notcovered? useraw?
tags = eventtype typer discover search classify
usage = public
[folderize-command]
category = results::group
description = Replaces the "attr" attribute value with a more generic value, which is the result of grouping it with other values from other results, where grouping happens via tokenizing the attr value on the sep separator value. For example, it can group search results, such as those used on the Splunk homepage to list hierarchical buckets (e.g. directories or categories). Rather than listing 200 sources on the Splunk homepage, folderize breaks the source strings by a separator (e.g. "/"), and determines if looking at just directories results in the number of results requested. The default "sep" separator is "::"; the default size attribute is "totalCount"; the default "minfolders" is 2; and the default "maxfolders" is 20.
example1 = | metadata type=sources | folderize maxfolders=20 attr=source sep="/"| sort totalCount d
maintainer = david
related = bucketdir
shortdesc = Replaces "attr" with higher-level grouping, such as replacing filenames with directories.
syntax = folderize attr=<string> (sep=<string>)? (size=<string>)? (minfolders=<int>)? (maxfolders=<int>)?
tags = cluster group collect gather
usage = deprecated
[footer-option]
default = 'If you believe you've received this email in error,
please see your Splunk administrator.\r\n\r\nsplunk > the engine for
machine data.'
description = Specify an alternate email footer.
syntax = footer=<string>
[foreach-command]
appears-in = 6.0
category = search::subsearch
comment1 = add together all fields with a name that starts with "test" into a total field (result should be total=6)
comment2 = for each field that matches foo*, add it to the corresponding bar* field and write to a new_* field (e.g. new_X = fooX + barX)
comment3 = equivalent to: eval foo="foo" | eval bar="bar" | eval baz="baz"
comment4 = for the field fooAbarX, this would be to equivalent to: eval fooAbarX = "X"
description = Run a templated streaming subsearch for each field in a wildcarded field list. For each field that is matched, the templated subsearch will have the following patterns replaced: \i\
option default replacement \i\
fieldstr <<FIELD>> whole field name \i\
matchstr <<MATCHSTR>> part of field name that matches wildcard(s) in the specifier \i\
matchseg1 <<MATCHSEG1>> part of field name that matches first wildcard \i\
matchseg2 <<MATCHSEG2>> part of field name that matches second wildcard \i\
matchseg3 <<MATCHSEG3>> part of field name that matches third wildcard
example1 = ... | eval total=0 | eval test1=1 | eval test2=2 | eval test3=3 | foreach test* [eval total=total + <<FIELD>>]
example2 = ... | foreach foo* [eval new_<<MATCHSTR>> = <<FIELD>> + bar<<MATCHSTR>>]
example3 = ... | foreach foo bar baz [eval <<FIELD>> = "<<FIELD>>"]
example4 = ... | foreach foo*bar* fieldstr="#field#" matchseg2="#matchseg2#" [eval #field# = "#matchseg2#"]
maintainer = steveyz
related = eval
shortdesc = Run a templatized streaming subsearch for each field in a wildcarded field list.
syntax = foreach (<wc-field>)+ (fieldstr=<string>)? (matchstr=<string>)? (matchseg1=<string>)? (matchseg2=<string>)? (matchseg3=<string>)? <subsearch>
tags = subsearch eval computation wildcard fields
usage = public
[format]
description = Specify a parameterized expression with $AGG$ and $VAL$ to construct the output
field names when multiple data series are used along with a split-by field. Replaces
$AGG$ with the stats aggregator and function and $VAL$ with the value of the
split-by-field. Takes precedence over sep.
syntax = format=<string>
[format-command]
appears-in = 3.0
category = search::subsearch
comment1 = Get the top 2 results. Create a search from the host, source and sourcetype fields. Use the specified format values.
[ [ host="mylaptop" && source="syslog.log" && sourcetype="syslog" ] || [ host="bobslaptop" && source="bob-syslog.log" && sourcetype="syslog" ] ]
comment2 = Get the top 2 results. Create a search from the host, source and sourcetype fields. Use the default format values. The result is a single result in a new field called "search":
( ( host="mylaptop" AND source="syslog.log" AND sourcetype="syslog" ) OR ( host="bobslaptop" AND source="bob-syslog.log" AND sourcetype="syslog" ) )
comment3 = Change the number of results inline with your search by appending the format command to the end of your subsearch.
description = This command is used implicitly by subsearches. This command takes the results
of a subsearch, formats the results into a single result and places that result
into a new field called search.
The mvsep argument is the separator for multivalue fields. The default
separator is OR.
The maxresults argument is the maximum number of results to return. The default
is 0, which means no limit on the number returned.
The six row and column arguments default to: \"(" \"(" \"AND" ")" \"OR" \")"
example1 = ... | head 2 | fields source, sourcetype, host | format "[" "[" "&&" "]" "||" "]"
example2 = ... | head 2 | fields source, sourcetype, host | format
example3 = ... | format maxresults = <int>
maintainer = david
related = search
shortdesc = Takes the results of a subsearch and formats them into a single result.
syntax = format (mvsep="<mv separator>")? (maxresults=<int>)? (<row-prefix> <column-prefix> <column-separator> <column-end> <row-separator> <row end>)?
tags = format query subsearch
usage = public
[format-option]
default = Refer to the email.format in the alert_actions.conf file.
description = Specifies how to format inline results.
syntax = format=csv | table | raw
[from-command]
appears-in = 6.4.0
category = results::filtering
comment1 = Search a built-in data model that is an internal server log for
REST API calls.
comment2 = Retrieve data using a saved search.
comment3 = Specify a dataset name that contains spaces.
comment4 = Retrieve data from a lookup file. Search the contents of the KV
store collection kvstorecoll that have a CustID value greater
than 500 and a CustName value that begins with the letter P.
description = The from command retrieves data from a named dataset, saved
search, report, CSV lookup file, or KV store lookup file. The
from command is a generating command and should be the first
command in the search. Generating commands use a leading pipe
character.
example1 = | from datamodel:"internal_server.splunkdaccess"
example2 = | from savedsearch:mysecurityquery
example3 = | from savedsearch:"Top five sourcetypes"
example4 = | from inputlookup:kvstorecoll_lookup | where (CustID>500) AND (CustName="P*") | stats count
maintainer = aandrade
related = savedsearch, inputlookup, datamodel
shortdesc = Retrieves data from a named dataset, saved search, report, or
lookup file. Must be the first command in a search.
syntax = from <dataset-type>:<dataset-name>
tags = dataset
usage = public
[from-option]
default = splunk@<hostname>
description = Email address from line.
syntax = from=<email_list>
[gauge-command]
appears-in = 4.2
category = reporting
comment1 = Use the value of the count field as the gauge value and have 4 regions to the gauge (0-25,25-50,50-75,75-100)
description = Transforms results into a format suitable for display by the Gauge chart types. Each argument must be a real number or the name of a numeric field. Numeric field values will be taken from the first input result, the remainder are ignored. The first argument is the gauge value and is required. Each argument after that is optional and defines a range for different sections of the gauge. If there are no range values provided, the gauge will start at 0 and end at 100. If two or more range values are provided, The gauge will begin at the first range value, and end with the final range value. Intermediate range values will be used to split the total range into subranges which will be visually distinct. A single range value is meaningless and will be treated identically as no range values.
example1 = ... | gauge count 0 25 50 75 100
maintainer = steveyz
related = eval stats
shortdesc = Transforms results into a format that can be displayed by the Gauge chart types.
syntax = gauge (<num>|<field>) ((<num>|<field>)+)?
tags = stats format display chart dial
usage = public
[gentimes-command]
appears-in = 3.2
category = results::generate
comment1 = All daily time ranges from oct 25 till today
comment2 = All daily time ranges from 30 days ago until 27 days ago
comment3 = All daily time ranges from oct 1 till oct 5
comment4 = All HOURLY time ranges from oct 1 till oct 5
description = Generates time range results. This command is useful in conjunction with the 'map' command.
example1 = | gentimes start=10/25/07
example2 = | gentimes start=-30 end=-27
example3 = | gentimes start=10/1/07 end=10/5/07
example4 = | gentimes start=10/1/07 end=10/5/07 increment=1h
generating = true
maintainer = david
related = map
shortdesc = Generates time range results.
syntax = gentimes start=<timestamp> (end=<timestamp>)? (increment=<increment>)?
tags = time timestamp subsearch range timerange
usage = public beta
[geom-command]
appears-in = 6.3
category = reporting
comment1 = When no arguments are provided, geom command looks for a column named "featureCollection" and a column named "featureId" in the event. These commands are present in the default output from a Lookup on the given geoindex.
comment2 = This case specifies spatial index name to "geo_us_states".
comment3 = This case specifies featureId to "state" field in event.
comment4 = When allFeatures is used, additional rows are appended for each feature that is not already present in the search results.
description = Geom command can generate polygon geometry in JSON style, for UI visualization. This command depends on lookup having been installed with external_type=geo.
example1 = ...| geom
example2 = ...| geom "geo_us_states"
example3 = ...| geom "geo_us_states" featureIdField="state"
example4 = ...| geom "geo_us_states" allFeatures=true
maintainer = ghendrey
related = geomfilter, lookup
shortdesc = Used for choropleth map's UI visualization.
syntax = geom (<featureCollection>)? (<allFeatures>)? (<featureIdField>)? (gen=<num>)? <min_x>? <min_y>? <max_x>? <max_y>?
tags = choropleth map
usage = public
[geomfilter-command]
appears-in = 6.3
category = reporting
comment1 = This case uses the default bounding box, which will clip the whole map.
comment2 = This case clips half of the whole map.
default = "min_x=-180 min_y=-90 max_x=180 max_y=90"
description = Geomfilter command accepts 2 points that specify a bounding box for clipping choropleth map; points fell out of the bounding box will be filtered out.
example1 = ...| geomfilter
example2 = ...| geomfilter min_x=-90 min_y=-90 max_x=90 max_y=90
maintainer = ghendrey
related = geom
shortdesc = Geomfilter command is for choropleth map's clipping feature.
syntax = geomfilter <min_x>? <min_y>? <max_x>? <max_y>?
tags = choropleth map
usage = public
[geostats-command]
appears-in = 6.0
category = reporting
comment1 = compute the average rating for each gender after clustering/grouping the events by "eventlat" and "eventlong" values.
comment2 = cluster events by default latitude and longitude fields "lat" and "lon" respectively. Calculate the count of such events
comment3 = take events from apache logs, use iplocation to geocode the ip addresses of the client, and then cluster the events based on how many are happening in each hour of the day.
description = Use the geostats command to compute statistical functions suitable for rendering on
a world map. First, the events will be clustered based on latitude and longitude
fields in the events. Then, the statistics will be evaluated on the generated
clusters, optionally grouped or split by fields using a by-clause.\p\
For map rendering and zooming efficiency, geostats generates clustered stats at a
variety of zoom levels in one search, the visualization selecting among them. The
quantity of zoom levels can be controlled by the options
binspanlat/binspanlong/maxzoomlevel. The initial granularity is selected by
binspanlat together with binspanlong. At each level of zoom, the number of bins
will be doubled in both dimensions (a total of 4x as many bins for each zoom-in).
example1 = ... | geostats latfield=eventlat longfield=eventlong avg(rating) by gender
example2 = ... | geostats count
example3 = sourcetype = access_combined_wcookie | iplocation clientip | geostats count by date_hour
maintainer = arahut
related = stats, xyseries, chart
shortdesc = Generate statistics which are clustered into geographical bins to be rendered on a world map.
syntax = geostats (translatetoxy=<bool>)? (latfield=<string>)? (longfield=<string>)? (outputlatfield=<string>)? (outputlongfield=<string>)? (globallimit=<int>)? (locallimit=<int>)? (binspanlat=<float> binspanlong=<float>)? (maxzoomlevel=<int>)? (<stats-agg-term>)* (<by-clause>)?
tags = stats statistics
usage = public
[get-arg-name]
description = Optional, HTTP GET argument name
syntax = <string>
[get-arg-value]
description = Optional, HTTP GET argument value
syntax = <string>
[globallimit]
description = Controls the number of named categories to add to each pie-chart. When used with
count and additive statistics, there will be one additional category called "OTHER"
which groups all other split-by values. Setting globallimit=0 removes all limits and
renders all categories. Defaults to 10.
syntax = globallimit=<int>
[graceful-option]
default = false
description = If set to true, no error is thrown, if email sending fails and thus the search pipeline continues execution as if sendemail was not there.
syntax = graceful=<bool>
[grouping-field]
default = punct
description = By default, the typelearner initially groups events by the value of the grouping-field, and then further unifies and merges those groups, based on the keywords they contain. The default grouping field is "punct" (the punctuation seen in _raw).
example1 = host
syntax = <field>
[grouping-maxlen]
default = 15
description = determines how many characters in the grouping-field value to look at. If set to negative, the entire value of the grouping-field value is used to initially group events
example1 = maxlen=30
syntax = maxlen=<int>
[head-command]
appears-in = 3.2
category = results::order
comment1 = Return events until the time span of the data is >= 100 seconds
commentcheat = Return the first 20 results.
description = Returns the first n results, or 10 if no integer is specified.
New for 4.0, can provide a boolean eval expression, in which case we return events until that expression evaluates to false.
example1 = ... | streamstats range(_time) as timerange | head (timerange<100)
examplecheat = ... | head 20
maintainer = steveyz
related = reverse, tail
shortdesc = Returns the first n number of specified results.
syntax = head ((<int>)|("("<eval-expression>")"))? (limit=<int>)? (null=<bool>)? (keeplast=<bool>)?
tags = head first top leading latest
usage = public beta
[highlight-command]
alias = hilite
appears-in = 3.2
category = formatting
comment2 = Highlight the text sequence "access denied".
commentcheat = Highlight the terms "login" and "logout".
description = Causes each of the space separated or comma-separated strings provided to be highlighted by the splunk web UI.
These strings are matched case insensitively.
example2 = ... | highlight "access denied"
examplecheat = ... | highlight login,logout
maintainer = sorkin
related = iconify, abstract
shortdesc = Causes UI to highlight selected strings.
simplesyntax = highlight (<string>)+
syntax = highlight (<string>)+
tags = ui search
usage = public
[history-command]
appears-in = 4.2
category = results::read
comment = Returns a history of searches as a table
description = Returns information about searches that the current user has run.
By default, the search strings are presented as a field called "search".
If events=true, then the search strings are presented as the text of the
events, as the _raw field.
example = | history
generating = true
maintainer = steveyz
related = search
shortdesc = Returns a history of searches, either as events or as non-event results (default).
syntax = history (events=<bool>)?
tags = history search
usage = public
[host-specifier]
description = Search for events from the specified host
syntax = host(=|!=)<string>
[hosttag-specifier]
description = Search for events that have hosts that are tagged by the string
syntax = hosttag(=|!=)<string>
[hoursago]
description = Search the last N hours. ( equivalent to starthoursago )
syntax = hoursago=<int>
[iconify-command]
appears-in = 4.0
category = formatting
comment1 = Displays an different icon for each eventtype.
comment2 = Displays an different icon for each process id.
comment3 = Displays an different icon for url and ip combination.
description = Causes the UI to make a unique icon for each value of the fields listed.
example1 = ... | iconify eventtype
example2 = ... | iconify pid
example3 = ... | iconify url ip
maintainer = david
related = highlight, abstract
syntax = iconify <field-list>
tags = ui search icon image
usage = public
[ignore-running-opt]
description = Skip over artifacts whose search is still running (default: true)
example = ignore_running=false
syntax = ignore_running=<bool>
[increment]
comment1 = 1 hour
example1 = 1h
syntax = <int:increment>(s|m|h|d)?
[index-expression]
syntax = \"<string>\"|<term>|<search-modifier>
[index-opt]
description = Search the specified index instead of the default index.
example = index=_internal
syntax = index=<string>
[index-specifier]
description = Search the specified index instead of the default index
syntax = index(=|!=)<string>
[indexearliest]
description = Specify the earliest _indextime for the time range of your search. You can specify an exact time (_index_earliest="11/5/2016:20:00:00") or a relative time (_index_earliest=-h or _index_earliest=@w0).
syntax = _index_earliest=<time_modifier>
[indexlatest]
description = Specify the latest _indextime for the time range of your search. You can specify an exact time (_index_latest="11/5/2016:20:00:00") or a relative time (_index_latest=-h or _index_latest=@w0).
syntax = _index_latest=<time_modifier>
[inline-option]
default = Refer to the email.inline in the alert_actions.conf file.
description = Specifies whether to send the results in the message body or as an attachment.
syntax = inline=<bool>
[input-command]
appears-in = 3.2-Britney
category = index::add
comment2 = Remove all csv files that are currently being processed
description = Adds or removes (disables) sources from being processed by splunk, enabling or disabling inputs in inputs.conf, with optional sourcetype and index settings. Any additional attribute=values are set added to inputs.conf. Changes are logs to $SPLUNK_HOME/var/log/splunk/inputs.log.
example2 = | search source=*csv | input remove
maintainer = david
shortdesc = Adds or disables sources from being processed by Splunk.
syntax = input (add|remove) (sourcetype=<string>)? (index=<string>)? (<string>=<string>)*
tags = input index
usage = public
[input-option]
description = Override settings from input.conf.
example1 = root=/home/bob
syntax = <string>=<string>
[inputcsv-command]
appears-in = 3.2
category = results::read
comment1 = Read in events from the CSV file: "$SPLUNK_HOME/var/run/splunk/csv/foo.csv".
comment2 = Read in events 101 to 600 from either file 'bar' (if exists) or 'bar.csv'.
comment3 = Same as example1 except that the events are filtered to where foo is greater than 2 or bar equals 5
commentcheat = Read in results from the CSV file: "$SPLUNK_HOME/var/run/splunk/csv/all.csv", keep any that contain the string "error", and save the results to the file: "$SPLUNK_HOME/var/run/splunk/csv/error.csv"
description = Populates the results data structure using the given csv file, which is not modified. The filename must refer to a relative path in $SPLUNK_HOME/var/run/splunk/csv (if dispatch option is set to true, filename refers to a file in the job directory in $SPLUNK_HOME/var/run/splunk/dispatch/<job id>/). If the specified file does not exist and the filename did not have an extension, then filename with a ".csv" extension is assumed. \i\
The optional argument 'start' controls the 0-based offset of the first event to be read (default=0). The optional argument 'max' controls the maximum number of events to be read from the file (default = 1000000000). 'events' is an option that allows the imported results to be treated as events, i.e., so that a proper timeline and fields picker are displayed. If 'append' is set to true (false by default), the data from the csv file is appended to the current set of results rather than replacing it.
example1 = | inputcsv foo.csv
example2 = | inputcsv start=100 max=500 bar
example3 = | inputcsv foo.csv where foo>2 OR bar=5
examplecheat = | inputcsv all.csv | search error | outputcsv errors.csv
generating = true
maintainer = steveyz
note = 'keeptempdir' is a debugging option, that if true, retains the temporary directory that the given file is copied into for manipulation by the search pipeline. This option should not be mentioned in the external documentation or typeahead.
related = outputcsv
shortdesc = Loads search results from the specified CSV file.
syntax = inputcsv (dispatch=<bool>)? (append=<bool>)? (start=<int>)? (max=<int>)? (events=<bool>)? <filename> (WHERE <string:search-query>)?
tags = input csv load read
usage = public
[inputlookup-command]
appears-in = 4.0
category = results::read
comment1 = Read in "users.csv" lookup file (under $SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/*/lookups).
comment2 = Read in "usertogroup" lookup table (as specified in transforms.conf).
comment3 = Same as example2 except that the data from the lookup table is appended to any current results.
comment4 = Same as example2 except that the data from the lookup table is filtered to where foo is greater than 2 or bar equals 5 before returned.
comment5 = Read in a geospatial lookup table. This can be used to show all geographic features on a Choropleth map.
description = Reads in lookup table as specified by a filename (must end with .csv or .csv.gz) or a table name (as specified by a stanza name in transforms.conf).
If 'append' is set to true (false by default), the data from the lookup file is appended to the current set of results rather than replacing it.
example1 = | inputlookup users.csv
example2 = | inputlookup usertogroup
example3 = | inputlookup append=t usertogroup
example4 = | inputlookup usertogroup where foo>2 OR bar=5
example5 = | inputlookup geo_us_states
generating = true
maintainer = steveyz
optout-in = lite, lite_free
related = inputcsv, join, lookup, outputlookup
shortdesc = Loads search results from a specified static lookup table.
syntax = inputlookup (append=<bool>)? (start=<int>)? (max=<int>)? (<filename>|<string:tablename>) (where <string:search-query>)?
tags = lookup input table
usage = public
[internalinputcsv-command]
appears-in = 3.2
description = Reads in events from <filename> but does not do as much error checking and will not collapse into
multiple files if the filename is too large. Internal debugging operator.
example1 = | internalinputcsv foo.csv
generating = true
maintainer = steveyz
optout-in = lite, lite_free
syntax = internalinputcsv <filename>
usage = internal
[ip-address-fieldname]
description = The name of the field that contains the IP address.
syntax = <field>
[iplocation-command]
appears-in = 6.x
category = fields::add
commentcheat = Add location information (based on IP address).
description = The ip-address field in ip-address-fieldname is looked up in a database and location fields
information is added to the event. The fields are City, Continent, Country, MetroCode,
Region, Timezone, lat(latitude) and lon(longitude).
Not all of the information is available for all ip address ranges, and hence it is
normal to have some of the fields empty.
The Continent, MetroCode, and Timezone are only added if allfields=true (default is false).
prefix=string will add a certain prefix to all fieldnames if you desire to uniquely qualify
added field names and avoid name collisions with existing fields (default is NULL/empty string).
The lang setting can be used to render strings in alternate languages (for example "lang=es"
for spanish) The set of languages depends on the geoip database in use. The special language
"lang=code" will return fields as abbreviations where possible.
example1 = sourcetype = access_combined_* | iplocation clientip
example2 = sourcetype = access_combined_* | iplocation allfields=true clientip
example3 = sourcetype = access_combined_* | iplocation prefix=iploc_ allfields=true clientip
examplecheat = ... | iplocation clientip
maintainer = arahut
shortdesc = Extracts location information from IP addresses using 3rd-party databases.
syntax = iplocation (prefix=<string>)? (allfields=<bool>)? (lang=<string>)? <ip-address-fieldname>
tags = ip location city geocode
usage = public
[join-command]
appears-in = 3.3
category = results::append
comment1 = Joins previous result set with results from 'search vendors', on
the product_id field common to both result sets.
comment2 = Joins previous result set with results from 'search vendors', on
the product_id field forced to be common to both result sets.
comment3 = Joins previous result set with results from 'search vendors', on
the product id field represented by field names that do match in
the two result sets.
comment4 = Joins previous result set with results from a built-in data model
that is an internal server log for REST API calls.
description = You can perform an inner or left join. Use either 'outer' or
'left' to specify a left outer join. One or more of the fields
must be common to each result set. If no fields are specified,
all of the fields that are common to both result sets are used.
Limitations on the join subsearch are specified in the
limits.conf.spec file. Note: Another command, such as append or
lookup, in combination with either stats or transaction might
be a better alternative to the join command for flexibility and
performance. \p\
The arguments 'left' and 'right' allow for specifying aliases
in order to preserve the lineage of the fields in both result
sets. The 'where' argument specifies the aliased fields to join
on, where the fields are no longer required to be common to both
result sets. \p\
maintainer = steveyz
example1 = ... | join product_id [search vendors]
example2 = ... | join product_id [search vendors | rename pid AS product_id]
example3 = ... | join left=L right=R WHERE L.product_id=R.pid [search vendors]
example4 = ... | join datamodel:"internal_server.splunkdaccess"
related = append, lookup, appendcols, lookup, selfjoin, transaction
shortdesc = Use to combine the results of a subsearch with the results of a
main search.
syntax = join (<join-options>)* <join-constraints> <dataset>
tags = join combine unite append csv lookup inner outer left
usage = public
[join-constraints]
description = List of fields to join on with optional aliasing.
syntax = <field-list> | (left=<leftalias>)? (right=<rightalias>)? WHERE <join-equalities>
[join-equalities]
description = Join on aliased fields from corresponding result sets.
syntax = <leftalias>.<field>=<rightalias>.<field> (<leftalias>.<field>=<rightalias>.<field>)*
[join-options]
description = Options to the join command. In both inner and left joins,
events that match are joined. The results of an inner join do
not include events from the main search that have no matches in
the subsearch. The results of a left (or outer) join include
all of the events from the main search, and any of the events
from the subsearch that have matching values in the main
search. The usetime option specifies whether to limit matches
to subresults that are earlier or later than the main result
to join with. The earlier option is only valid when
usetime=true. The default for usetime is false. The overwrite
option indicates if fields from the subresults should overwrite
those from the main result if they have the same field name.
The default for overwrite is true. The max option specifies
the maximum number of subresults each main result can join
with. The default for max is 1. Specify 0 to indicate there is
no limit. \p\
default = type=inner | usetime=false | earlier=true | overwrite=true | max=1
example1 = type=outer
example2 = usetime=t
example3 = usetime=t earlier=f
example4 = overwrite=f
example5 = max=3
syntax = type=(inner|outer|left) | usetime=<bool> | earlier=<bool> | overwrite=<bool> | max=<int>
[keepevicted-opt]
default = false
description = Whether to output evicted transactions. Evicted transactions can be distinguished from non-evicted transactions by checking the value of the 'closed_txn' field, which is set to '0' for evicted transactions and '1' for closed ones. A transaction is evicted from memory when the memory limitations are reached.
syntax = keepevicted=<bool>
[keeporphans-opt]
default = keeporphans=f
description = Whether the transaction command should output the results that are not part of any transactions.
The results that are passed through as "orphans" can be distinguished from transactions by looking
at the _txn_orphan field, which is set to 1 for orphan results.
syntax = keeporphans=<bool>
[key-list]
description = a list of keys that are ANDed to provide a filter for surrounding command
syntax = (<string> )*
[kmeans-centroids]
default = "showcentroid=true"
description = Expose the centroid centers in the search results if showcentroid is true; don't if false.
syntax = showcentroid=<bool>
[kmeans-cnumfield]
default = "cfield=CLUSTERNUM"
description = Controls the field name for the cluster number for each event
syntax = cfield=<field>
[kmeans-command]
appears-in = 3.0
category = results::group
comment1 = Group results into 2 clusters based on the values of all numerical fields.
commentcheat = Group search results into 4 clusters based on the values of the "date_hour" and "date_minute" fields.
description = Performs k-means clustering on select fields (or all numerical fields if empty). Events in the same cluster are
moved next to each other. You have the option to display the cluster number for each event. The centroid of each cluster is also
be displayed (with an option to disable it).
example1 = ... | kmeans
examplecheat = ... | kmeans k=4 date_hour date_minute
maintainer = steveyz
related = anomalies, anomalousvalue, cluster, outlier
shortdesc = Performs k-means clustering on selected fields.
syntax = kmeans (<kmeans-options> )* (<field-list>)?
tags = cluster group collect gather
usage = public
[kmeans-distype]
default = "dt=L2NORM"
description = Distance metric to use (L1/L1NORM equivalent to CITYBLOCK). L2NORM equivalent to SQEUCLIDEAN
simplesyntax = dt=(l1norm|l2norm|cityblock|sqeuclidean|cosine)
syntax = dt=(l1|l1norm|cityblock|cb|l2|l2norm|sq|sqeuclidean|cos|cosine)
[kmeans-iters]
default = "maxiters=10000"
description = Maximum number of iterations allowed before failing to converge
syntax = maxiters=<int>
[kmeans-k]
default = "k=2"
description = Number of initial clusters to use. If specified as a range, clustering will be performed for each
count of clusters in the range, and a summary of the result of each run will be provided expressing
the size of the clusters, and the 'distortion', which describes a kind of non-fittedness of the data.
Distortion is the sum of the squared distances between each item and its cluster center.
syntax = k=<int>(-<int>)?
[kmeans-options]
description = Options for kmeans command
syntax = <kmeans-reps>|<kmeans-iters>|<kmeans-t>|<kmeans-k>|<kmeans-cnumfield>|<kmeans-distype>|<kmeans-centroids>
[kmeans-reps]
default = "reps=10"
description = Number of times to repeat kmeans using random starting clusters
syntax = reps=<int>
[kmeans-t]
default = "t=0"
description = Algorithm convergence tolerance
syntax = t=<num>
[kvform-command]
appears-in = 4.0
category = fields::add
comment1 = Extract values from "eventtype.form" if the file exists.
description = Extracts key/value pairs from events based on a form
template that describes how to extract the values. If FORM is specified,
it uses an installed <FORM>.form file found in the splunk configuration form directory.
For example, if "form=sales_order", would look for a "sales_order.form"
file in the 'forms' subdirectory in all apps, e.g. $SPLUNK_HOME$/etc/apps/*/forms/.
All the events processed would
be matched against that form, trying to extract values.\p\
If no FORM is specified, then the FIELD value determines the name of the field to
extract. For example, if "field=error_code", then an event that has an error_code=404,
would be matched against a "404.form" file.\p\
The default value for FIELD is "sourcetype", thus by default kvform will look for
<SOURCETYPE>.form files to extract values.\p\
A .form file is essentially a text file or all static parts of a form,
interspersed with named references to regular expressions, of the type found in
transforms.conf. A .form might might look like this:\i\
Students Name: [[string:student_name]] \i\
Age: [[int:age]] Zip: [[int:zip]] .
example1 = ... | kvform field=eventtype
maintainer = david
note = Multiple whitespaces, including blanklines are removed from matching, which could be merged into kv to be called automatically, having no cost if the needed .form file is not found.
related = extract, multikv, rex, xmlkv
shortdesc = Extracts values from search results, using a form template.
syntax = kvform (form=<string>)? (field=<field>)?
tags = form extract template
usage = public/experimental
[latesttime]
description = Specify the latest time for the _time range of your search. You can specify an exact time (latest="11/12/2016:20:00:00") or a relative time (latest=-30m or latest=@w6).
syntax = latest=<time_modifier>
[latfield]
description = Specify a field from the pre-search that represents the latitude coordinates to use
in your analysis. Defaults to "lat".
syntax = latfield=<field>
[leftalias]
description = Lineage of fields in left result set.
syntax = <string>
[lit-value]
syntax = <string>|<num>
[lmaxpause-opt]
default = "maxpause=1m"
description = the maximum (inclusive) time between two consecutive events in a contiguous time region
syntax = maxpause=<int>(s|m|h|d)?
[loadjob-command]
appears-in = Madonna
category = results::generate
comment1 = Loads the events that were generated by the search job with id=1233886270.2
comment2 = Loads the results of the latest scheduled execution of savedsearch MySavedSearch in the 'search' application owned by admin
description = The artifacts to load are identified either by the search job id or a scheduled search name and the time range of the current search. If a savedsearch name is provided and multiple artifacts are found within that range the latest artifacts are loaded.
example1 = | loadjob 1233886270.2 events=t
example2 = | loadjob savedsearch="admin:search:MySavedSearch"
generating = true
maintainer = ledion
related = inputcsv, file
shortdesc = Loads events or results of a previously completed search job.
syntax = loadjob (<sid-opt>|<savedsearch-identifier>) <result-event-opt>? <delegate-opt>? <artifact-offset-opt>? <ignore-running-opt>?
tags = artifacts
usage = public
[localize-command]
appears-in = 3.2
category = search::subsearch
comment1 = As an example, searching for "error" and then calling localize finds good regions around
where error occurs, and passes each on to the search inside of the the map command, so
that each iteration works with a specific timerange to find promising transactions
commentcheat = Search the time range of each previous result for "failure".
description = Generates a list of time contiguous event regions
defined as: a period of time in which consecutive events
are separated by at most 'maxpause' time. The found regions
can be expanded using the 'timeafter' and 'timebefore' modifiers
to expand the range after/before the last/first event in
the region respectively. The Regions are return in time descending
order, just as search results (time of region is start time).
The regions discovered by localize are meant to be feed into
the MAP command, which will use a different region for each iteration.
Localize also reports: (a) number of events in the range, (b) range
duration in seconds and (c) region density defined as (#of events in range)
divided by (range duration) - events per second.
example1 = error | localize | map search="search starttimeu::$starttime$ endtimeu::$endtime$ |transaction uid,qid maxspan=1h"
examplecheat = ... | localize maxpause=5m | map search="search failure starttimeu=$starttime$ endtimeu=$endtime$"
maintainer = david, ledion
related = map, transaction
shortdesc = Returns a list of time ranges in which the search results were found.
syntax = localize <lmaxpause-opt>? <after-opt>? <before-opt>?
tags = time timestamp subsearch range timerange
usage = public beta
[localop-command]
appears-in = 4.0
category = search::search
comment1 = The iplocation command in this case will never be run on remote peers. All events from remote peers from the initial search for the terms FOO and BAR will be forwarded to the search head where the iplocation command will be run.
description = Prevents subsequent commands from being executed on remote peers, i.e. forces subsequent commands to be part of the reduce step.
example1 = FOO BAR | localop | iplocation clientip
maintainer = steveyz
optout-in = lite, lite_free
shortdesc = Prevents subsequent commands from being executed on remote peers.
syntax = localop
tags = debug distributed
usage = public unsupported/beta
[log-span]
comment1 = set log span of base 10, coeff 1.0, e.g. ...,0.1,1,10,100,...
comment2 = set log span of base 5, coeff 2.0, e.g. ...,0.4,2,10,50,250,1250,...
description = Sets to log based span, first number if coefficient, second number is base
coefficient, if supplied, must be real number >= 1.0 and < base
base, if supplied, must be real number > 1.0 (strictly greater than 1)
example1 = log
example2 = 2log5
syntax = (<num>)?log(<num>)?
[logical-expression]
simplesyntax = (NOT)? <logical-expression>|<comparison-expression>|(<logical-expression> OR? <logical-expression>)
syntax = ("(" <logical-expression> ")")|<time-opts>|<search-modifier>|(<boolean-operator-not>? <logical-expression>)|<index-expression>|<comparison-expression>|(<logical-expression> (<boolean-operator-or>|<boolean-operator-and>)? <logical-expression>)
[longfield]
description = Specify a field from the pre-search that represents the longitude coordinates to use
in your analysis. Defaults to "lon".
syntax = longfield=<field>
[lookup-command]
appears-in = 4.0
category = fields::read
comment1 = There is a lookup table specified in a stanza name 'usertogroup' in transform.conf. This lookup table contains (at least) two fields, 'user' and 'group'. For each event, we look up the value of the field 'local_user' in the table and for any entries that matches, the value of the 'group' field in the lookup table will be written to the field 'user_group' in the event.
description = Manually invokes field value lookups from an existing lookup table or external
script. Lookup tables must be located in the lookups directory of
$SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/<app-name>/lookups.
External scripts must be located in $SPLUNK_HOME/etc/searchscripts or
$SPLUNK_HOME/etc/apps/<app_name>/bin.\p\
Specify a lookup field to match to a field in the events and, optionally,
destination fields to add to the events. If you do not specify destination fields,
adds all fields in the lookup table to events that have the match field. You can
also overwrite fields in the events with fields in the lookup table, if they have
the same field name.
example1 = ... | lookup usertogroup user as local_user OUTPUT group as user_group
maintainer = steveyz
related = appendcols inputlookup outputlookup
shortdesc = Explicitly invokes field value lookups.
syntax = lookup (local=<bool>)? (update=<bool>)? (event_time_field=<string>)? <string:lookup-table-name> (<field:lookup> (as <field:local>)? )+ (OUTPUT|OUTPUTNEW (<field:dest> (as <field:local-dest>)? )+ )?
tags = join combine append lookup table
usage = public
[makecontinuous-command]
appears-in = 3.2
category = reporting
comment1 = Make "_time" continuous with a span of 10 minutes.
description = Makes a field that is supposed to be the x-axis continuous (invoked by chart/timechart).
example1 = ... | makecontinuous _time span=10m
maintainer = steveyz
related = chart timechart
syntax = makecontinuous (<field>)? (<bin-options>)*
tags = continuous
usage = public
[makejson-command]
category = results::filter
comment1 = Create a stringified JSON: { "name": "<value of name>", "data": { "count": <value of data.count>, "metrics": [values of data.metrics] }}
description = Combines the specified set of field names, or field name patterns,
and creates an field with the output name.
example1 = ... | makejson name data.* "counts[float]" output=json_event
shortdesc = Combines specified fields into a stringified JSON
syntax = makejson <wc-field-list> (output=<string>)
tags = json
usage = public
[makemv-command]
appears-in = 3.3
category = fields::convert
comment1 = Separate the value of "foo" into multiple values.
comment2 = For sendmail search results, separate the values of "senders" into multiple values. Then, display the top values.
description = Treat specified field as multi-valued, using either a simple string delimiter (can be multicharacter), or a regex tokenizer. If neither is provided, a default delimiter of " " (single space) is assumed.
The allowempty=<bool> option controls if consecutive delimiters should be treated as one (default = false).
The setsv boolean option controls if the original value of the field should be kept for the single valued version. It is kept if setsv = false, and it is false by default.
example1 = ... | makemv delim=":" allowempty=t foo
example2 = eventtype="sendmail" | makemv delim="," senders | top senders
maintainer = steveyz
related = mvcombine, mvexpand, nomv
shortdesc = Changes a specified field into a multi-value field during a search.
syntax = makemv (delim=<string> |tokenizer=<string>)? (allowempty=<bool>)? (setsv=<bool>)? <field>
tags = multivalue convert
usage = public
[makeresults-command]
appears-in = 6.3
category = results::generate
description = Creates a specified number of empty search results. This command will run only on the local machine
by default and will generate one unannotated empty result. It maybe used in conjunction with the eval command to
generate an empty result for the eval command to operate on.
example1 = makeresults | eval foo="foo"
example2 = index=_internal _indextime > [makeresults | eval it=now()-60 | return $it]
maintainer = amathew
note = If the search begins with an eval command it will return no results. makeresults is implicitly injected to the
beginning of such searches.
shortdesc = Create a specified number of empty results.
syntax = makeresults (<count-option>)? (<annotate-option>)? (<splunk-server-option>)? (<splunk-server-group-option>)*
usage = public
[map-command]
appears-in = 3.2
category = results::generate
description = For each input search result, takes the field-values
from that result and substitutes their value for the $variable$ in the
search argument. The value of variables surrounded in quotes (e.g. text="$_raw$") will be quote escaped.
The search argument can either be a subsearch to run
or just the name of a savedsearch. The following metavariables are
also supported:
1. $_serial_id$ - 1-based serial number within map of the search being executed.
example1 = error | localize | map mytimebased_savedsearch
maintainer = david
related = gentimes, search
shortdesc = Looping operator, performs a search over each search result.
syntax = map (<searchoption>|<savedsplunkoption>) <maxsearchesoption>?
tags = map subsearch loop savedsearch
usage = public beta
[max-time-opt]
description = The maximum time in seconds that typeahead can run for ( 0 disables this max_time )
example = max_time=3
syntax = max_time=<int>
[max_x]
default = "max_x=180"
description = X coordinate of bounding box's up-right corner, range [-180, 180].
syntax = max_x=<num>
[max_y]
default = "max_y=90"
description = Y coordinate of bounding box's up-right corner, range [-90, 90].
syntax = max_y=<num>
[maxevents-opt]
default = maxevents=1000
description = The maximum number of events in a transaction. If the value is negative this constraint is disabled.
syntax = maxevents=<int>
[maxinputs-opt]
default = maxinputs=100
description = Determines the maximum number of input results passed to the script.
example1 = maxinputs=1000
syntax = maxinputs=<int>
[maxinputs-option]
default = 50000
description = Set the maximum number of search results sent via alerts.
syntax = maxinputs=<int>
[maxopenevents-opt]
default = the default value of this field is read from the transactions stanza in limits.conf
description = Specifies the maximum number of events (which are) part of open transactions before transaction
eviction starts happening, using LRU policy.
syntax = maxopenevents=<int>
[maxopentxn-opt]
default = the default value of this field is read from the transactions stanza in limits.conf
description = Specifies the maximum number of not yet closed transactions to keep in the open pool before starting
to evict transactions, using LRU policy.
syntax = maxopentxn=<int>
[maxpause-opt]
default = maxpause=-1 (no limit)
description = The maxpause constraint requires there be no pause between a transaction's events of greater than maxpause.
If value is negative, disable the maxpause constraint.
syntax = maxpause=<int>(s|m|h|d)?
[maxsearchesoption]
default = maxsearches=10
description = The maximum number of searches to run. Will generate warning if
there are more search results.
example1 = maxsearches=42
syntax = maxsearches=<int>
[maxspan-opt]
default = maxspan=-1 (no limit)
description = The maxspan constraint requires the transaction's events to span less than maxspan.
If value is negative, disable the maxspan constraint.
syntax = maxspan=<int>(s|m|h|d)?
[maxtime-option]
description = The maximum amount of time that the execution of an action is allowed to take before the action is aborted.
syntax = maxtime=<int>m | s | h | d
[maxzoomlevel]
description = The maximum level to be created in the quad tree. Defaults to 9, which specifies
that 10 zoom levels will be created: 0-9.
syntax = maxzoomlevel=<int>
[mcatalog-command]
appears-in = 7.0
category = reporting
comment1 = Return all of the metric names in a specific metric index
comment2 = Return all of the metric names in all metric indexes
comment3 = Return all IP addresses when the metric name matches 'login.failure'
description = Returns the list of values for the metric_name or dimension fields from all metric indexes,
unless an index name is specified in the WHERE clause. The '_values' field is not allowed.
Supports GROUPBY on the metric_name or dimension fields, however you cannot specify a time
span with this command. \i\
Arguments: \i\
"prestats": Returns the results in prestats format. You can pipe the results into another command that takes prestats output, such as chart or timechart. \i\
This is useful for creating graphs. Default is "prestats=false". \i\
"append": Valid only when "prestats=true". This argument runs the mstats command and adds \i\
the results to an existing set of results instead of generating new results. Default is "append=false". \i\
usage = internal
example1 = mcatalog values(metric_name) WHERE index=new-metric-idx
example2 = mcatalog values(metric_name)
example3 = mcatalog values(ip) where metric_name=login.failure
maintainer = allan
optout-in = lite, lite_free
shortdesc = Performs values aggregation on metric_name and dimensions.
syntax = mcatalog (prestats=<bool>)? (append=<bool>)? ((values "(" <field> ")") (as <field>)?)+ (WHERE <logical-expression>)? ((BY|GROUPBY) <field-list>)?
[mcollect-command]
appears-in = 7.1
category = index::summary
comment1 = Generate a count of error events as metric data points.
description = Converts search results into metric data and inserts the data into a metric index
on the search head. If each result contains only one metric_name field
and one numeric _value field, the result is already a normalized metrics data point,
the result does not need to be split and can be consumed directly.
Otherwise, each result is spit into multiple metric data points based on the specified
list of dimension fields.
If the '_time' field is present in the results, it is used as the timestamp of the
metric datapoint. If the '_time' field is not present, the current time is used.
Arguments:
“index”: The index where the collected metric data are placed. This argument is required.
“file”: The file name where you want the collected metrics data to be written.
The default file name is a random filename. You can use a timestamp or a random number
for the file name by specifying either file=$timestamp$ or file=$random$.
Defaults to $random$_metrics.csv
“split”: If split=false (which is the default setting), the results must include a
'metric_name' field for the name of the metric, and a '_value' field for the
numerical value of the metric. If split=true, <field-list> must be specified.
“spool”: If spool=true (which is the default setting), the metrics data file is written
to the Splunk spool directory, $SPLUNK_HOME/var/spool/splunk, where the file is indexed
automatically. If spool=false, the file is written to the $SPLUNK_HOME/var/run/splunk
directory. The file remains in this directory unless some form of further automation
or administration is done. \
example1 = ERROR | stats count BY type | rename count AS _value type AS metric_name | mcollect index=my_metric_index
maintainer = steveyz
optout-in = lite, lite_free
related = collect meventcollect
shortdesc = Puts search results into a metric index on the search head.
syntax = mcollect (index=<string>) (file=<string>)? (split=<bool>)? (spool=<bool>)? (prefix_field=<string>)? (host=<string>)? (source=<string>)? (sourcetype=<string>)? (<field-list>)?
tags = collect summary summaryindex metrics
“prefix_field”: Is applicable only when split = true. If specified, any event with that
field missing is ignored. Otherwise, the field value is prefixed to the metric name.
"host": The name of the host that you want to specify for the collected metrics data.
Only applicable when spool=true.
"source": The name of the source that you want to specify for the collected metrics data.
Defaults to the name of search.
"sourcetype": The name of the source type that is specified for the collected metrics
data. This setting defaults to mcollect_stash. License usage is not calculated for
data indexed with the mcollect_stash source type. If you change to a different
source type, the Splunk platform calculates license usage for any data indexed
by the mcollect command. NOTE: Do not change this setting without
assistance from Splunk Professional Services or Splunk Support. Changing the
source type requires a change to the props.conf file.
“field-list”: A list of dimension fields. Optional if split=false (the default), required
if split=true. If “field-list” is not specified, all fields are treated as dimensions
for the data point except for the “prefix_field” and internal fields (fields with an
underscore ’_’ prefix). If “field-list” is specified, the list must be specified
at the end of the mcollect command arguments. If “field-list” is specified, all
fields are treated as metric values, except for fields in “field-list”,
the “prefix-field”, and internal fields.
The name of each metric value is the field name prefixed with the ”prefix_field” value.
Effectively, one metric data point is returned for each qualifying field that
contains a numerical value. If one search result contains multiple qualifying
metric name/value pairs, the result is split into multiple metric data points.
usage = public
[memcontrol-opt]
syntax = <maxopentxn-opt> | <maxopenevents-opt> | <keepevicted-opt>
[message-option]
default = If sendresults=true: Search complete.
If sendresults=true, inline=true, and either sendpdf=false or sendcsv=false: Search results.
If sendpdf=true or sendcsv=true: Search results attached.
description = Specifies the message sent in the email.
syntax = message=<string>
[metadata-command]
appears-in = 3.X Madonna
category = administrative
comment1 = Return the values of "host" for events in the "_internal" index.
comment2 = Return values of "sourcetype" for events in the "_audit" index on server peer01
comment3 = Return values of "sourcetype" for events in the "_audit" index on any server name that begins with "peer".
comment4 = Return the values of "host" for data points in the "mymetrics" index.
comment5 = Return the values of "source" for data points in all metrics indexes.
description = This search command generates a list of source, sourcetypes, or hosts from the index. Optional splunk_server argument specifies whether or not to limit results to one specific server. Optional datatype argument specifies whether to only search from event indexes or metrics index. If datatype is not specified, only search from event indexes.
example1 = | metadata type=hosts index=_internal
example2 = | metadata type=sourcetypes index=_audit splunk_server=peer01
example3 = | metadata type=sourcetypes index=_audit splunk_server=peer*
example4 = | metadata type=hosts index=mymetrics datatype=metric
example5 = | metadata type=sources index=* datatype=metric
maintainer = brian
related = dbinspect
shortdesc = Returns a list of source, sourcetypes, or hosts.
syntax = metadata type=<metadata-type> (<index-opt>)* (splunk_server=<wc-string>)? (splunk_server_group=<wc-string>)* (datatype=<metric|event>)?
tags = metadata host source sourcetype metric
usage = public
[metadata-delete-restrict]
description = restrict the deletion to the specified host, source or sourcetype.
syntax = (host::|source::|sourcetype::)<string>
[metadata-type]
description = Specifies which metadata type is returned
syntax = hosts|sources|sourcetypes
[metasearch-command]
appears-in = 4.2
category = search::search
comment1 = Return metadata for events with "404" and from host "webserver1"
description = Retrieves event metadata from indexes based on terms in the <logical-expression>. Metadata fields include source, sourcetype, host, _time, index, and splunk_server.
example1 = 404 host="webserver1"
maintainer = steveyz
related = search metadata
shortdesc = Retrieves event metadata from indexes based on terms in the <logical-expression>.
simplesyntax = metasearch <logical-expression>?
syntax = metasearch <logical-expression>?
tags = search query find
usage = public
[meventcollect-command]
appears-in = 7.1
category = index::summary
comment1 = collect metrics.log data into a metrics index
description = Converts search results into metric data and inserts the data into a metric index
on the indexers. If each result contains only one metric_name field and one
numeric _value field, the result is already a normalized metrics data point,
the result does not need to be split and can be consumed directly.
Otherwise, each result is spit into multiple metric data points based on the specified
list of dimension fields.
Only purely streaming commands can precede the meventcollect command so that results can be
directly ingested on the indexers.
Arguments:
“index”: The index where the collect metric data are placed. This argument is required.
“split”: If split=false (which is the default setting), the results must include a
'metric_name' field for the name of the metric, and a '_value' field for the
numerical value of the metric. If split=true, <field-list> must be specified.
“spool”: If spool=true (which is the default setting), the metrics data file is written
to the Splunk spool directory, $SPLUNK_HOME/var/spool/splunk, where the file is indexed
automatically. If spool=false, the file is written to the $SPLUNK_HOME/var/run/splunk
directory. The file remains in this directory unless some form of further automation
or administration is done. \
example1 = index=_internal source=*/metrics.log | eval prefix = group + "." + name | meventcollect index=my_metric_index split=true prefix_field=prefix name group
maintainer = steveyz
optout-in = lite, lite_free
related = collect mcollect
shortdesc = Puts search results into a metric index on the indexers.
syntax = meventcollect (index=<string>) (split=<bool>)? (spool=<bool>)? (prefix_field=<string>)? (host=<string>)? (source=<string>)? (sourcetype=<string>)? (<field-list>)?
tags = collect summary summaryindex metrics
“prefix_field”: Is applicable only when split = true. If specified, any event with that
field missing is ignored. Otherwise, the field value is prefixed to the metric name.
"host": The name of the host that you want to specify for the collected metrics data.
Only applicable when spool=true.
"source": The name of the source that you want to specify for the collected metrics data.
Defaults to the name of search.
"sourcetype": The name of the source type that is specified for the collected metrics
data. This setting defaults to mcollect_stash. License usage is not calculated for
data indexed with the mcollect_stash source type. If you change to a different
source type, the Splunk platform calculates license usage for any data indexed
by the meventcollect command. NOTE: Do not change this setting
without assistance from Splunk Professional Services or Splunk Support. Changing
the source type requires a change to the props.conf file.
“field-list”: A list of dimension fields. Optional if split=false (the default), required
if split=true. If “field-list” is not specified, all fields are treated as dimensions
for the data point except for the “prefix_field” and internal fields (fields with an
underscore ’_’ prefix). If “field-list” is specified, the list must be specified
at the end of the mcollect command arguments. If “field-list” is specified, all
fields are treated as metric values, except for fields in “field-list”,
the “prefix-field”, and internal fields.
The name of each metric value is the field name prefixed with the ”prefix_field” value.
Effectively, one metric data point is returned for each qualifying field that
contains a numerical value. If one search result contains multiple qualifying
metric name/value pairs, the result is split into multiple metric data points.
usage = public
[min_x]
default = "min_x=-180"
description = X coordinate of bounding box's bottom-left corner, range [-180, 180].
syntax = min_x=<num>
[min_y]
default = "min_y=-90"
description = Y coordinate of bounding box's bottom-left corner, range [-90, 90].
syntax = min_y=<num>
[minutesago]
description = Search the last N minutes. ( equivalent to startminutesago )
syntax = minutesago=<int>
[modelName]
description = A data model name.
syntax = <string>
[monthsago]
description = Search the last N months. ( equivalent to startmonthsago )
syntax = monthsago=<int>
[mstats-command]
appears-in = 7.0
category = reporting
comment1 = Get the count of all measurements in the "mymetrics" index where
the metric name is "foo".
comment2 = Get the count and average of all measurements in the "mymetrics"
index where the metric_name value is "foo".
comment3 = Get the count of all measurements in the "mymetrics" index where
the metric_name value is "foo" and the average of all measurements
in the "mymetrics" index where the metric_name value is "bar".
comment4 = Return the average of all measurements in mymetrics, where bar is
"value2" and metric_name is "foo".
comment5 = Get the count by app for data points with host "x" and
metric_name "foo" from the default metrics indexes.
comment6 = Get a timechart of all the data in your metrics indexes for
metric_name "foo" with a granularity of one day.
comment7 = Get the median of all measurements from the default metrics indexes,
where metric name is "foo".
comment8 = Alternative syntax for getting the count of all measurements in
the "mymetrics" index for a metric_name called "foo".
comment9 = Get the average of all values of a metric named either "cpu.util" or "cpu.utilization".
description = Performs statistics on the measurement, metric_name, and
dimension fields in metric indexes. The mstats command is
optimized for searches over one or more metric_name values,
rather than searches over all metric_name values. It supports
both historical and real-time searches. For a real-time search
with a time window, mstats runs a historical search first that
backfills the data.\p\
The mstats command is a generating command, except when it is
in 'append=t' mode. As such, it must be the first command in a
search.\p\
If the <stats-func> based syntax is used, the filter specified after
the WHERE clause cannot filter on metric_name. Any metric_name
filtering is performed based on the metric_name fields specified
by the <stats-func> argument. If the <stats-func-value> syntax
is used, the WHERE clause *must* filter on metric_name (wildcards are ok).
It is recommended to use the <stats-func> syntax when possible.
The <stats-func-value> syntax is needed for cases where a single metric may be
represented by several different metric names (e.g. "cpu.util" and "cpu.utilization"). \p\
You cannot blend the <stats-func> syntax with the <stats-func-value> syntax in a single mstats command. \p\
Arguments: \p\
"<stats-func>": A list of stats functions to compute for given
metric_names. These are written as
<function1>(metric_name1) <function2>(metric_name2) ... \p\
"<stats-func-value>": A list of stats functions to compute on
metric values (_value). These are written as
<function1>(_value) <function2>(_value) ... \p\
"<logical-expression>": An expression describing the filters
that are applied to your search. Includes time and
search modifiers, comparison expressions, and index
expressions. This expression cannot filter on
metric_name if the <stats-func> syntax is used, but
must filter on metric_name if the <stats-func-value>
syntax is used.\p\
"<field-list>": Specifies one or more fields to group the
results by. Required when using the 'BY' or
'GROUPBY' clause. \p\
"prestats": Returns the results in prestats format. You can pipe
the results into commands that consume the prestats
formatted data, such as chart or timechart, and
output aggregate calculations. This is useful for
creating graphs. Default is prestats=false. \p\
"append": Valid only when "prestats=true". This argument adds
the results of the mstats run to an existing set of
results instead of generating new results. Default is
"append=false". \p\
"backfill": Valid only with windowed real-time searches. When
set to "true", the mstats command runs a historical
search to backfill the on-disk indexed data before
searching the in-memory real-time data. Default is
"backfill=true".\p\
"update_period": Valid only with real-time searches. Specifies
how frequently, in milliseconds, the real-time
summary for the mstats command is updated. By
default, update_period=0, which is 1 second. A
larger number means less frequent reads of the
summary and less impact on index processing.
example1 = | mstats count(foo) WHERE index=mymetrics
example2 = | mstats count(foo) avg(foo) WHERE index=mymetrics
example3 = | mstats count(foo) avg(bar) WHERE index=mymetrics
example4 = | mstats count(foo) WHERE index=mymetrics bar=value2
example5 = | mstats count(foo) WHERE host=x BY app
example6 = | mstats prestats=t count(foo) span=1d | timechart span=1d count(foo)
example7 = | mstats median(foo)
example8 = | mstats count(_value) WHERE metric_name=foo AND index=mymetrics
example9 = | mstats avg(_value) WHERE metric_name=cpu.util OR metric_name=cpu.utilization AND index=mymetrics
maintainer = allan/steveyz
optout-in = lite, lite_free
related = tstats
shortdesc = Performs statistics on the measurement, metric_name and dimension fields in metric indexes. Supports historical and real-time search.
syntax = mstats (prestats=<bool>)? (append=<bool>)? (backfill=<bool>)? (update_period=<int>)? ((<stats-func>)+|(<stats-func-value>)+) WHERE (<logical-expression>)* ((BY|GROUPBY) <field-list> (span=<string:timespan>)? )?
tags = mstats metric tsidx projection
usage = public
[multikv-command]
appears-in = 3.0
category = fields::add
comment1 = Extract the "pid" and "command" fields.
commentcheat = Extract the "COMMAND" field when it occurs in rows that contain "splunkd".
description = Extracts fields from events with information in a tabular format (e.g. top, netstat, ps, ... etc).
A new event is created for each table row. Field names are derived from the title row of the table.
example1 = ... | multikv fields pid command
examplecheat = ... | multikv fields COMMAND filter splunkd
maintainer = ledion, steveyz
related = extract, kvform, rex, xmlkv
shortdesc = Extracts field-values from table-formatted events.
syntax = multikv (conf=<stanza_name>)? (<multikv-option>)*
tags = extract table tabular column
usage = public
[multikv-copyattrs]
description = When true, multikv copies all fields from the original event to the events generated from that event.
When false, no fields are copied from the original event.
This means there will be no _time field and you will not be able to see the events in the UI. (default = true)
syntax = copyattrs=<bool>
[multikv-fields]
description = Limit the fields set by multikv to this list.
Any fields in the table which are not on this list will be ignored.
syntax = fields <field-list>
[multikv-filter]
description = If specified, multikv will skip over table rows that do not contain at least one of the strings in the filter list.
Quoted expressions are permitted such as "multiple words" or "trailing_space ".
syntax = filter <field-list>
[multikv-forceheader]
description = Forces the use of the given line number (1 based) as the table's header.
Empty lines are not included in the count.
By default, multikv attempts to determine the header line automatically.
syntax = forceheader=<int>
[multikv-multitable]
description = Controls whether or not there can be multiple tables in a single _raw in the original events. (default = true)
syntax = multitable=<bool>
[multikv-noheader]
description = Handle a table without header row identification.
The size of the table will be inferred from the first row, and fields will be named Column_1, Column_2, etc.
noheader=true implies multitable=false (default = false)
syntax = noheader=<bool>
[multikv-option]
description = Multikv available options
syntax = <multikv-copyattrs>|<multikv-fields>|<multikv-filter>|<multikv-forceheader>|<multikv-multitable>|<multikv-noheader>|<multikv-rmorig>
[multikv-rmorig]
description = When true, the original events will not be included in the output results.
When false, the original events are retained in the output results, with each original event
emitted after the batch of generated results from that original. (default=true)
syntax = rmorig=<bool>
[multisearch-command]
appears-in = Ace
category = results::append
comment = search for both events from index a and b and add different fields using eval in each case
description = Runs multiple *streaming* searches at the same time. Must specify at least 2 subsearches and only purely streaming operations are allowed in each subsearch (e.g. search, eval, where, fields, rex, ...)
example = | multisearch [search index=a | eval type = "foo"] [search index=b | eval mytype = "bar"]
maintainer = steveyz
related = append, join
shortdesc = Runs multiple searches at the same time.
syntax = multisearch <subsearch> <subsearch> <subsearch> ...
tags = append join combine unite combine
usage = public
[mvcombine-command]
appears-in = 3.3
category = results::filter
comment = Combine the values of "foo" with ":" delimiter.
description = For each group of results that are identical except for the given field, combine them into a single result where the given field is a multivalue field. DELIM controls how values are combined, defaulting to a space character (' ').
example = ... | mvcombine delim=":" foo
maintainer = steveyz
related = makemv, mvexpand, nomv
shortdesc = Combines events in the search results that have a single differing field value into one result with a multi-value field of the differing field.
syntax = mvcombine (delim=<string>)? <field>
tags = combine merge join unite multivalue
usage = public
[mvexpand-command]
appears-in = 3.3
category = results::generate
comment1 = Create new events for each value of multi-value field, "foo".
comment2 = Create new events for the first 100 values of multi-value field, "foo".
description = For each result with the specified field, create a new result for each value of that field in that result if it a multivalue field.
example1 = ... | mvexpand foo
example2 = ... | mvexpand foo limit=100
maintainer = steveyz
related = makemv, mvcombine, nomv
shortdesc = Expands the values of a multi-value field into separate events for each value of the multi-value field.
syntax = mvexpand <field> (limit=<int>)?
tags = separate divide disconnect multivalue
usage = public
[mvlist-opt]
default = mvlist=f
description = Flag controlling whether the multivalued fields of the transaction are (1) a list of the original
events ordered in arrival order or (2) a set of unique field values ordered lexicographically. If a
comma/space delimited list of fields is provided only those fields are rendered as lists
syntax = mvlist=<bool>|<field-list>
[mvraw-opt]
default = mvraw=f
description = Whether the _raw field of the transaction search result should be a multivalued field
syntax = mvraw=<bool>
[named-dataset]
syntax = <dataset-type>:<dataset-name>
[newseriesfilter-command]
appears-in = 3.0
description = Used by timechart.
example =
maintainer = steveyz
syntax = newseriesfilter <string>
usage = internal
[nokv-command]
appears-in = 3.0
description = Tells the search pipeline not to perform any automatic key/value extraction.
example1 = ... | nokv
maintainer = ssorkin
syntax = nokv
usage = internal
[nomv-command]
appears-in = 3.3
category = fields::convert
comment = For sendmail events, combine the values of the senders field into a single value; then, display the top 10 values.
description = Converts values of the specified multi-valued field into one single value (overrides multi-value field configurations set in fields.conf).
example = eventtype="sendmail" | nomv senders | top senders
maintainer = steveyz
related = makemv, mvcombine, mvexpand, convert
shortdesc = Changes a specified multi-value field into a single-value field at search time.
syntax = nomv <field>
tags = single multivalue
usage = public
[nullstr-opt]
default = nullstr="NULL"
description = A string value to use when rendering missing field values as part of mv fields in a transactions.
This option applies only to fields that are rendered as lists.
syntax = nullstr=<string>
[objectName]
description = A data model object name.
syntax = <string>
[outlatfield]
description = Specify a name for the latitude field in your geostats output data.
Defaults to "latitude".
syntax = outlatfield=<string>
[outlier-action-opt]
default = "action=transform"
description = What to do with outlying events. RM | REMOVE removes the field from events containing outlying numerical values.
TF | TRANSFORM truncates the outlying value to the threshold for outliers and, if mark=true, prefixes the value with "000"
simplesyntax = action=(remove|transform)
syntax = action=(rm|remove|tf|transform)
[outlier-command]
alias = outlierfilter
appears-in = 3.0
category = reporting
comment1 = Remove all outlying numerical values.
comment2 = For a timechart of webserver events, transform the outlying average CPU values.
description = Removes or truncates outlying numerical values in selected fields. If no fields are specified, then outlier will attempt to process all fields.
example1 = ... | outlier
example2 = 404 host="webserver" | timechart avg(cpu_seconds) by host | outlier action=tf
maintainer = steveyz
related = anomalies, anomalousvalue, cluster, kmeans
shortdesc = Removes outlying numerical values.
syntax = outlier (<outlier-option> )* (<field-list>)?
tags = outlier anomaly unusual odd irregular dangerous unexpected
usage = public
[outlier-mark-opt]
default = "mark=false"
description = If action=transform and mark=true, prefixes the outlying values with "000". If action=remove, the mark argument has no effect.
syntax = mark=<bool>
[outlier-option]
description = Outlier options
syntax = <outlier-action-opt>|<outlier-param-opt>|<outlier-uselower-opt>|<outlier-mark-opt>
[outlier-param-opt]
default = "param=2.5"
description = Parameter controlling the threshold of outlier detection. An outlier is defined as
a numerical value that is outside of param multiplied the inter-quartile range.
syntax = param=<num>
[outlier-uselower-opt]
default = "uselower=false"
description = Controls whether to look for outliers for values below the median in addition to above it
syntax = uselower=<bool>
[outlongfield]
description = Specify a name for the longitude field in your geostats output data.
Defaults to "longitude".
syntax = outlongfield=<string>
[outputcsv-command]
appears-in = 3.0
category = results::write
comment1 = Output search results to the CSV file 'mysearch.csv'.
description = If no filename specified, rewrites the contents of each result as a CSV row into the "_xml" field.
Otherwise writes into file (appends ".csv" to filename if filename has no existing extension).
If singlefile is set to true and output spans multiple files, collapses it into a single file.
The option usexml=[t|f] specifies whether or not to encode the csv output into xml and has effect
only when no filename is specified. This option should not specified when invoking outputcsv from
the UI. If dispatch option is set to true, filename refers to a file in the job directory in
$SPLUNK_HOME/var/run/splunk/dispatch/<job id>/
If 'create_empty' is true and no results are passed to outputcsv, an 0-length file is created.
When false (the default) no file is created and the file is deleted if it previously existed.
If 'override_if_empty' is set to its default of true and no results are passed to outputcsv, the
command deletes the output file if it exists. If set to false, the command does not delete the
existing output file.
If 'append' is true, we will attempt to append to an existing csv file if it exists or create a
file if necessary. If there is an existing file that has a csv header already, we will only emit
the fields that are referenced by that header. (Defaults to false) .gz files cannot be append to.
example1 = ... | outputcsv mysearch
maintainer = steveyz
related = inputcsv
shortdesc = Outputs search results to the specified CSV file.
syntax = outputcsv (append=<bool>)? (create_empty=<bool>)? (override_if_empty=<bool>?) (dispatch=<bool>)? (usexml=<bool>)? (singlefile=<bool>)? (<filename>)?
tags = output csv save write
usage = public
[outputlookup-command]
appears-in = 4.0
category = results::write
comment1 = Write to "users.csv" lookup file (under $SPLUNK_HOME/etc/system/lookups or $SPLUNK_HOME/etc/apps/*/lookups).
comment2 = Write to "usertogroup" lookup table (as specified in transforms.conf).
description = Saves results to a lookup table as specified by a filename (must end with .csv or .gz) or a table name (as specified by a stanza name in transforms.conf). If the lookup file does not exist, we will by default create the file in the lookups directory of the current application. If the 'createinapp' option is set to false or if there is no current application context, then we will create the file in the system lookups directory.
If 'create_empty' is true (the default) and no results are passed to outputlookup, an 0-length file is created.
When false no file is created and the file is deleted if it previously existed.
If 'override_if_empty' is set to its default of true and no results are passed to outputlookup, the
command deletes the lookup file if it exists. If set to false, the command does not delete the
existing lookup file.
If 'key_field' is set to a valid field name and this is a key-value store-based lookup, we will
attempt to use the specified field as the key to a value and replace that value.
If 'append' is true, we will attempt to append to an existing csv file if it exists or create a
file if necessary. If there is an existing file that has a csv header already, we will only emit
the fields that are referenced by that header. (Defaults to false). .gz files cannot be appended to.
The 'output_format' controls the output data format, supported values are 'splunk_mv_csv' and 'splunk_sv_csv'.
The default value is 'splunk_sv_csv'. Use 'splunk_mv_csv' for multivalue fields.
example1 = | outputlookup users.csv
example2 = | outputlookup usertogroup
maintainer = steveyz
optout-in = lite, lite_free
related = inputlookup, lookup, outputcsv, outputlookup
shortdesc = Saves search results to the specified static lookup table.
syntax = outputlookup (append=<bool>)? (create_empty=<bool>)? (override_if_empty=<bool>? (max=<int>)? (key_field=<field_name>)? (createinapp=<bool>)? (output_format=<string>) ? (<filename>|<string:tablename>)
tags = output csv save write lookup table
usage = public
[outputraw-command]
category = formatting
description = Outputs search results in a simple, raw text-based format, with each attribute value on a separate text line. Useful for commandline searches.
example1 = ... | outputraw
maintainer = david
optout-in = lite, lite_free
related = outputcsv, outputtext
shortdesc = Outputs search results in a simple, raw text-based format.
syntax = outputraw
tags = output
usage = deprecated
[outputrawr-command]
appears-in = 3.0
category = formatting
description = An easter egg command that replaces incoming search results with a single result with ascii art.
example1 = ... | outputrawr
maintainer = brian
optout-in = lite, lite_free
syntax = outputrawr
tags = output
usage = fun
[outputtelemetry-command]
category = results::write
comment1 = Output search results to the telemetry endpoint, using the field named "data."" Each will be
named "my.telemetry" and is described as a singular "event" type. The telemetry event will only be
sent if the deployment has been opted in to share Anonymized usage data, with opt-in version of 2.
description = Outputs search results to telemetry endpoint.
Required field “input” will have the endpoint payload.
The other fields “component”, “type”, “optinrequired”
are optional fields but the endpoint expects them to be supplied either with the search command
or to be found in the event data.
Visibility fields "anonymous", "license" and "support" are optional.
example1 = ... fields data | outputtelemetry input=data component=my.telemetry type=event anonymous=true optinrequired=2
shortdesc = Outputs search results to telemetry endpoint.
syntax = outputtelemetry (input=<string>) (type=<string>)? (component=<string>)? (support=<bool>)? (anonymous=<bool>)? (license=<bool>)? (optinrequired=<int>)?
tags = output telemetry
usage = public
[outputtext-command]
appears-in = 3.0
category = formatting
comment1 = Output the "_raw" field of your current search into "_xml".
description = Rewrites the _raw field of the result into the "_xml" field.
If usexml is set to true (the default), the _raw field is
XML escaped.
example1 = ... | outputtext
maintainer = ssorkin
related = outputcsv, outputraw
shortdesc = Outputs the raw text (_raw) of results into the _xml field.
syntax = outputtext (usexml=<bool>)?
tags = output
usage = public beta
[overlap-command]
appears-in = 3.3
category = index::summary
comment = Find overlapping events in "summary".
description = Find events in a summary index that overlap in time, or
find gaps in time during which a scheduled saved search may have
missed events. Note: If you find a gap, run the search over the period
of the gap and summary index the results (using | collect). If you
find overlapping events, manually delete the overlaps from the summary
index by using the search language. Invokes an external python script
(in etc/searchscripts/sumindexoverlap.py), which expects input events
from the summary index and finds any time overlaps and gaps between
events with the same 'info_search_name' but different
'info_search_id'. Input events are expected to have the following
fields: 'info_min_time', 'info_max_time' (inclusive and exclusive,
respectively) , 'info_search_id' and 'info_search_name' fields.
example = index=summary | overlap
maintainer = steveyz/ledion
optout-in = lite, lite_free
related = collect sistats sitop sirare sichart sitimechart
shortdesc = Finds events in a summary index that overlap in time or have missed events.
syntax = overlap
tags = collect overlap index summary summaryindex
usage = public
[paperorientation-option]
default = portrait
description = Paper orientation: portrait or landscape.
syntax = paperorientation= portrait | landscape
[papersize-option]
default = letter
description = Default paper size for PDFs. Acceptable values: letter, legal, ledger, a2, a3, a4, a5.
syntax = papersize=letter | legal | ledger | a2 | a3 | a4 | a5
[param-name]
description = Name of the parameter to pass to the custom alert action.
example = message
syntax = <string>
[partial]
description = Controls if partial time buckets should be retained (true) or not (false).
Only the first and last bucket can be partial. Defaults to true.
syntax = partial=<bool>
[pd-algo-option]
description = LL, LLT, LLP, and LLP5 are univariate algorithms. LLB and BiLL are bivariate algorithms.
LL is the simplest algorithm and computes the levels of the time series, ie. each new state
equals the previous state plus a Gaussian noise.
LLT computes the levels plus the trend.
LLP takes into account the data's periodicity if it exists. You can set the
period using the "period" option. You should set the period if you know it
because it will likely be more accurate than letting the command estimate the period.
If the you do not set the period, LLP will try to calculate it.
LLP5 combines LLT and LLP. If the time series is periodic, LLP5 computes two
predictions, one using LLT and the other using LLP. Then LLP5 takes a weighted
average of the two values and outputs that as its prediction. The confidence
interval is also based on a weighted average of the variances of the
LLT and LLP algorithms.
LLB and BiLL are both bivariate local level algorithms. LLB predicts
one time series off the other. BiLL predicts both time series simultaneously.
The key here is that the covariance of the two series is taken into account.
default = LLP5
syntax = algorithm=(LL|LLT|LLP|LLP5|LLB|BiLL)
[pd-as-option]
comment1 = here predictions for foo1 and foo2 will be named foobar1 and foobar2, respectively.
description = Sets the aliases for the predicted fields.
example1 = ... | predict foo1 as foobar1 foo2 as foobar2
syntax = as <field-name>
[pd-correlate-option]
default = None
description = Used with only the LLB algorithm, and is required with that algorithm.
Specifies the time series LLB uses to predict the other time series.
See example3 in [predict-command] section.
syntax = correlate=<field-name>
[pd-future_timespan-option]
default = 5
description = Specifies how many future predictions the predict command will compute.
syntax = future_timespan=<num>
[pd-holdback-option]
comment1 = The last 5 data points are not used. 5 predictions are made which correspond to
the last 5 values in the data. You can then judge how good the predictions are
by checking whether the given (or observed) values fall into the predicted
confidence intervals.
description = Specifies the number of data points from the end that are NOT to be used by predict.
Use this option to compare the predictions with the observed data.
example1 = ... | predict foo holdback=5 future_timespan=5
syntax = holdback=<num>
[pd-lower-option]
default = lower95(prediction(<field>)) where <field> is the field to predict.
description = Specifies the name for the lower confidence interval curve.
The <int> is a number between 0 and 100, and specifies the confidence level.
syntax = lower<int>=<field-name>
[pd-period-option]
default = None
description = Specifies the periodicity of the time series. It must be at least 2.
If you do not specify a value, the LLP and its variants attempts to compute the period.
syntax = period=<num>
[pd-suppress-option]
default = None
description = Used with the multivariate algorithms. Specifies one of the
predicted fields to hide from the output. Use when it is
difficult to look at all the predicted visualizations at the
same time.
syntax = suppress=<field>
[pd-upper-option]
default = upper95(prediction(<field>)) where <field> is the field to predict.
description = Specifies the name for the upper confidence interval curve.
The <int> is a number between 0 and 100, and specifies the confidence level.
syntax = upper<int>=<field-name>
[pdfview-option]
description = Name of view to send as a PDF.
syntax = pdfview=<string>
[pivot-command]
appears-in = 6.0
category = reporting
description = Must be the first command in a search. You must specify the model, object,
and the pivot element to run. The command will expand and run the specified
pivot element.
maintainer = aneels
related = datamodel
shortdesc = Allows user to run pivot searches against a particular datamodel object.
syntax = pivot <datamodel-name> <object-name> <pivot-element>
tags = datamodel model pivot
usage = public
[predict-command]
appears-in = ace
category = reporting
comment1 = Predict foo using the default LLP5 algorithm (an algorithm that combines the LLP and LLT algorithms).
comment2 = Upper and lower confidence intervals do not have to match
comment3 = Illustrates the LLB algorithm. The foo2 field is predicted by correlating it with the foo1 field.
comment4 = Predict multiple fields using the same algorithm. The default algorithm LLP5 is used in this example.
comment5 = Predict multiple fields using the same algorithm, future_timespan, and holdback.
comment6 = Use aliases for the fields by specifying the AS keyword for each field.
comment7 = Predict multiple fields using different algorithms and different options for each field.
comment8 = Predict foo1 and foo2 together using the bivariate algorithm BiLL.
description = The predict command must be preceded by the timechart command.
The command can also fill in missing data in a time-series and
provide predictions for the next several time steps. \p\
The predict command provides confidence intervals for all of its estimates.
The command adds a predicted value and an upper and lower 95th (by default)
percentile range to each event in the time-series.
example1 = ... | timechart span="1m" count AS foo1 | predict foo1
example2 = ... | timechart span="1m" count AS foo | predict foo AS foobar algorithm=LL upper90=high lower97=low future_timespan=10 holdback=20
example3 = ... | timechart span="1m" count(x) AS foo1 count(y) AS foo2 | predict foo2 AS foobar algorithm=LLB correlate=foo1 holdback=100
example4 = ... | timechart span="1m" count AS foo1 avg(sales) AS foo2 sum(sales) AS foo3 | predict foo1 foo2 foo3
example5 = ... timechart span="1m" count AS foo1 avg(sales) AS foo2 sum(sales) AS foo3 | predict foo1 foo2 foo3 algorithm=LLT future_timespan=15 holdback=5
example6 = ... timechart span="1m" count AS foo1 avg(sales) AS foo2 sum(sales) AS foo3 | predict foo1 AS foobar1 foo2 AS foobar2 foo3 AS foobar3 algorithm=LLT future_timespan=15 holdback=5
example7 = ... timechart span="1m" count AS foo1 avg(sales) AS foo2 sum(sales) | predict foo1 algorithm=LL future_timespan=15 foo2 algorithm=LLP period=7 future_timespan=7
example8 = ... timechart span="1m" count AS foo1 avg(sales) AS foo2 sum(sales) | predict foo1 foo2 algorithm=BiLL future_timespan=10
maintainer = nghi
related = trendline, x11
shortdesc = Forecasts future values for one or more sets of time-series data.
syntax = predict <field-list> <pd-as-option>? <pd-algo-option>? <pd-correlate-option>? <pd-future_timespan-option>? <pd-holdback-option>? <pd-period-option>? <pd-upper-option>? <pd-lower-option>? <pd-suppress-option>?
tags = forecast predict univariate bivariate kalman
usage = public
[prefix-opt]
description = the full search to do typeahead on
example = prefix=source
example1 = prefix="index=_internal war"
syntax = prefix=<string>
[preview-command]
appears-in = 4.3
category = results::generate
description = Given a source file and a set of props.conf settings in
$SPLUNK_HOME/var/run/splunk/dispatch/<job_id>/indexpreview.csv,
generate the events that the file would yield if it were indexed.
maintainer = ewoo
shortdesc = See what events from a file will look like when indexed without actually indexing the file.
syntax = preview
tags = index preview
usage = internal
[priority-option]
default = 3
description = Set the priority of the email as it appears in the email client. Lowest or 5, low or 4, high or 2, highest or 1.
syntax = priority=highest | high | normal | low | lowest
[rangemap-command]
appears-in = 4.0
category = fields::add
comment1 = Set RANGE to "green" if the date_second is between 1-30; "blue", if between 31-39; "red", if between 40-59; and "gray", if no range matches (e.g. "0").
comment2 = Sets the value of each event's RANGE field to "low" if COUNT is 0, "elevated" if between 1-100, and "severe" otherwise.
description = Sets RANGE field to the names of any ATTRN that the value of FIELD is within. If no range is matched, the RANGE is set to the DEFAULT values.
example1 = ... | rangemap field=date_second green=1-30 blue=31-39 red=40-59 default=gray
example2 = ... | rangemap field=count low=0-0 elevated=1-100 default=severe
maintainer = david
shortdesc = Sets RANGE field to the name of the ranges that match.
syntax = rangemap field=<field> (<attrn>=<attrn-range>)+ (default=<string>)?
tags = colors stoplight range
usage = public
[rare-command]
appears-in = 3.0
category = reporting
comment1 = Find the least common "user" value for a "host".
commentcheat = Return the least common values of the "url" field.
description = Finds the least frequent tuple of values of all fields in the field list.
If optional by-clause is specified, this command will return rare tuples of values for
each distinct tuple of values of the group-by fields.
example1 = ... | rare user by host
examplecheat = ... | rare url
maintainer = steveyz
related = top, stats, sirare
shortdesc = Displays the least common values of a field.
supports-multivalue = true
syntax = rare <rare-command-arguments>
tags = rare few occasional scarce sparse uncommon unusual
usage = public
[rare-command-arguments]
description = See rare-command description.
syntax = <top-opt>* <field-list> (<by-clause>)?
[rawstats-command]
appears-in = 3.2 Britney
comment1 = get long skinny events
description = Returns statistics about the raw field that might be useful for filtering/classifying events.
example1 = ... | rawstats | search rawstat_width_avg<30 linecount>30
maintainer = david
shortdesc = Returns statistics about the raw field.
syntax = rawstats
usage = internal
[readlevel-int]
description = How deep to read the events, 0 : just source/host/sourcetype, 1 : 0 with _raw, 2 : 1 with kv, 3 2 with types ( deprecated in 3.2 )
syntax = 0|1|2|3
[redistribute-command]
appears-in = 7.1
category = data::managing
comment1 = Speeds up a stats search that aggregates a large number of results.
The "|stats count by ip" portion of the search is processed on the
intermediate reducers. The search head just aggregates the results.
comment2 = Speeds up a search that includes eventstats and which uses
sitimechart to perform the statistical calculations for a timechart
operation. The intermediate reducers process eventstats, where, and
sitimechart. The search head runs timechart to turn the reduced
sitimechart statistics into sorted, visualization-ready results.
Because the redistribute split-by field is unidentified, the system
selects "source" as the redistribute field.
comment3 = Speeds up a search that uses tstats to generate events. The
tstats command must be placed at the start of the search pipeline,
and here it uses prestats=t to work with the timechart command.
sitimechart is processed on the reducers and timechart is processed on
the search head.
comment4 = In this example, the eventstats and where commands are processed
in parallel on the reducers, while the sort command and any commands
following it are processed on the search head. This happens because
sort is a nonstreaming command that is not supported by redistribute.
description = This command divides the search results
among a pool of intermediate reducers in the indexer layer. The reducers
perform intermediary reduce operations in parallel on the search results
before pushing them up to the search head, where a final reduction
operation is performed. This parallelization of reduction work that
would otherwise be done entirely by the search head can result in
faster completion times for high-cardinality searches that
aggregate large numbers of search results. \p\
Set num_of_reducers to control the number of intermediate reducers
used from the pool. num_of_reducers defaults to a fraction of the
indexer pool size, according to the 'winningRate' setting, and is
limited by the 'maxReducersPerPhase' setting, both of which are
specified on the search head in the [parallelreduce] stanza of
limits.conf. \p\
The redistribute command divides events into partitions on the
intermediate reducers according to the fields specified with the
by-clause. If no by-clause fields are specified, the search
processor uses the fields that work best with the commands that
follow the redistribute command in the search. \p\
The redistribute command requires a distributed search environment
with a pool of intermediate reducers at the indexer level. You must
have a role with the run_multi_phased_searches capability to run
this command. You can use the redistribute command only once in a
search. \p\
The redistribute command supports streaming commands and the
following nonstreaming commands: stats, tstats, streamstats,
eventstats, sichart, and sitimechart. The redistribute command also
supports transaction on a single field. \p\
The redistribute command moves the processing of a search string
from the intermediate reducers to the search head when it
encounters nonstreaming command that it does not support or that
does not include a by-clause. The redistribute command also moves
processing to the search head when it detects that a command has
modified values of the fields specified in the redistribute by-clause. \p\
Note: When results are aggregated from the intermediate reducers at
the search head, a sort order is imposed on the result rows only
when an order-sensitive command such as 'sort' is in place to
consume the reducer output.
example1 = "... | redistribute by ip | stats count by ip"
example2 = "... | redistribute | eventstats count by user, source | where count>10 | sitimechart max(count) by source | timechart max(count) by source"
example3 = "| tstats prestats=t count BY _time span=1d | redistribute by _time | sitimechart span=1d count | timechart span=1d count"
example4 = "... | redistribute | eventstats count by user, source | where count >10 | sort 0 -num(count) | ..."
maintainer = bli
shortdesc = Speeds up search runtime of a set of supported SPL commands, in a
distributed search environment.
supports-multivalue = true
syntax = redistribute (num_of_reducers=<int>)? (<by-clause>)?
tags = partition re-partition repartition shuffle collocate
usage = public
[regex-command]
appears-in = 3.0
category = results::filter
commentcheat = Keep only search results whose "_raw" field contains IP addresses in the non-routable class A (10.0.0.0/8).
description = Removes results that do not match the specified regular expression. You can specify for the regex to keep results that match the expression, or to keep those that do not match. Note: if you want to use the "or" ("|") command in a regex argument, the whole regex expression must be surrounded by quotes (ie. regex "expression"). Matches the value of the field against the unanchored regex and only keeps those events that match in the case of '=' or do not match in the case of '!='. If no field is specified, the match is against "_raw".
example1 = ... | regex _raw="complicated|regex(?=expression)"
example2 = ... | regex _raw="(?=!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"
examplecheat = ... | regex _raw="(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"
maintainer = ssorkin
related = rex, search
shortdesc = Removes results that do not match the specified regular expression.
syntax = regex (<field>("="|"!="))?<regex-expression>
tags = regex regular expression filter where
usage = public
[regex-expression]
comment1 = Selects events whose _raw field contains ip addresses in the non-routable class A (10.0.0.0/8).
description = A Perl Compatible Regular Expression supported by the pcre library.
example1 = ... | regex _raw="(?<!\d)10.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"
syntax = (\")?<string>(\")?
[relevancy-command]
appears-in = 4.0
category = fields::add
comment1 = Calculate the relevancy of the search and sort the results in descending order.
description = Calculates the 'relevancy' field based on how well the events _raw field matches the keywords of the 'search'. Useful for retrieving the best matching events/documents, rather than the default time-based ordering. Events score a higher relevancy if they have more rare search keywords, more frequently, in fewer terms. For example a search for "disk error" will favor a short event/document that has 'disk' (a rare term) several times and 'error' once, than a very large event that has 'disk' once and 'error' several times.
example1 = disk error | relevancy | sort -relevancy
maintainer = david
related = abstract, highlight, sort
shortdesc = Calculates how well the event matches the query.
syntax = relevancy
tags = search relevance precision text doc ir
usage = public
[reltime-command]
appears-in = 4.1.5
category = formatting
comment1 = add a reltime field
description = Sets the 'reltime' field to a human readable value of the difference between 'now' and '_time'. Human-readable values look like "5 days ago", "1 minute ago", "2 years ago", etc.
example1 = ... | reltime
maintainer = david
related = convert
shortdesc = Sets the 'reltime' field to a human readable value of the difference between 'now' and '_time'.
syntax = reltime
tags = time ago
usage = public beta
[rename-command]
appears-in = 3.0
category = fields::modify
comment1 = Rename the "count" field.
comment2 = Rename fields beginning with "foo".
commentcheat = Rename the "_ip" field as "IPAddress".
description = Renames a field. If both the source and destination fields are
wildcard expressions with he same number of wildcards,
the renaming will carry over the wildcarded portions to the
destination expression.
example1 = ... | rename count as "Count of Events"
example2 = ... | rename foo* as bar*
examplecheat = ... | rename _ip as IPAddress
maintainer = steveyz
related = fields
shortdesc = Renames a specified field (wildcards can be used to specify multiple fields).
syntax = rename (<wc-field> as <wc-field>)+
tags = rename alias name as aka
usage = public
[rendering-opt]
syntax = <delim-opt> | <mvlist-opt> | <nullstr-opt> | <mvraw-opt>
[replace-command]
appears-in = 3.0
category = fields::modify
commentcheat = Change any host value that ends with "localhost" to "localhost".
description = Replaces a single occurrence of the first string with the second
within the specified fields (or all fields if none were specified).
Non-wildcard replacements specified later take precedence over those specified earlier.
For wildcard replacement, fuller matches take precedence over lesser matches.
To assure precedence relationships, one is advised to split the replace into
two separate invocations.
When using wildcarded replacements, the result must have the same number
of wildcards, or none at all.
Wildcards (*) can be used to specify many values to replace, or replace values with.
example1 = ... | replace 127.0.0.1 with localhost
example2 = ... | replace 127.0.0.1 with localhost in host
example3 = ... | replace 0 with Critical, 1 with Error in msg_level
example4 = ... | replace aug with August in start_month end_month
example5 = ... | replace *localhost with localhost in host
example6 = ... | replace "* localhost" with "localhost *" in host
examplecheat = ... | replace *localhost with localhost in host
maintainer = steveyz
related = fillnull setfields rename
shortdesc = Replaces values of specified fields with a specified new value.
syntax = replace (<wc-str> with <wc-str>)+ (in <field-list>)?
tags = replace change set
usage = public
[rest-command]
appears-in = 4.3
category = rest
comment1 = Access saved search jobs.
description = Access a REST endpoint and display the returned entities as search results.
example1 = | rest /services/search/jobs count=0 splunk_server=local | search isSaved=1
generating = yes
maintainer = ledion
syntax = rest <rest-uri> (count=<int>)? (<splunk-server-opt>)? (<splunk-server-group-opt>)* (<timeout-opt>)? (<get-arg-name>=<get-arg-value>)*
tags = rest endpoint access
usage = public
[rest-uri]
description = Path to the REST endpoint of the local server. This command cannot be used to hit a general url
syntax = <string>
[result-event-opt]
description = events=true loads events, while events=false loads results. Defaults to false.
example = events=true
syntax = events=<bool>
[return-command]
appears-in = 4.2
category = search::subsearch
comment1 = search for "error ip=<someip>", where someip is the most recent ip used by Amrit
comment2 = search for "error (user=user1 ip=ip1) OR (user=user2 ip=ip2)", where users and IPs come from the two most-recent logins
description = Useful for passing values up from a subsearch. Replaces the incoming events with one event, with one attribute: "search". Automatically limits the incoming results with "head" and "fields", to improve performance. Allows convenient outputting of attr=value (e.g., "return source"), alias_attr=value (e.g. "return ip=srcip"), and value (e.g., "return $srcip"). Defaults to using just the first row of results handed to it. Multiple rows can be specified with COUNT (e.g. "return 2 ip"), and each row is ORd (e.g., output might be "(ip=10.1.11.2) OR (ip=10.2.12.3)"). Multiple values can be specified and are placed within OR clauses. So "return 2 user ip" might output "(user=bob ip=10.1.11.2) OR (user=fred ip=10.2.12.3)". Using "return" at the end of a subsearch removes the need, in the vast majority of cases, for "head", "fields", "rename", "format", and "dedup".
example1 = error [ search user=amrit | return ip]
example2 = error [ search login | return 2 user, ip]
maintainer = david
related = search format
shortdesc = A convenient way to return values from a subsearch.
syntax = return (<int:count>)? (<field:alias>=<field>)* (<field>)* ($<field>)*
tags = format query subsearch search
usage = public
[reverse-command]
appears-in = 3.2
category = results::order
commentcheat = Reverse the order of a result set.
description = Reverses the order of the results.
examplecheat = ... | reverse
maintainer = steveyz
related = head, sort, tail
syntax = reverse
tags = reverse flip invert inverse upsidedown
usage = public
[rex-command]
appears-in = 3.2
category = fields::add
comment1 = Anonymize data matching pattern
commentcheat = Extract "from" and "to" fields using regular expressions. If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob.
description = Matches the value of the field against the unanchored regex and extracts
the perl regex named groups into fields of the corresponding names. If
mode is set to 'sed' the given sed expression will be applied to the value
of the chosen field (or to _raw if a field is not specified).
max_match controls the number of times the regex is matched, if greater than one
the resulting fields will be multivalued fields, defaults to 1, use 0 to mean unlimited.
example1 = ... | rex mode=sed "s/(\\d{4}-){3}/XXXX-XXXX-XXXX-/g"
examplecheat = ... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
maintainer = ssorkin
related = extract, kvform, multikv, xmlkv, regex
shortdesc = Specifies a Perl regular expression named groups to extract fields while you search.
syntax = rex (field=<field>)? ( ( <regex-expression> (max_match=<int>)? (offset_field=<string>)? ) | mode=sed <sed-expression>)
tags = regex regular expression extract
usage = public
[rightalias]
description = Lineage of fields in right result set.
syntax = <string>
[row-end]
default = ")"
description = The value to use for the row end.
syntax = <double-quoted-string>
[row-prefix]
default = "("
description = The value to use for the row prefix.
syntax = <double-quoted-string>
[row-separator]
default = "OR"
description = The value to use for the row separator.
syntax = <double-quoted-string>
[rtorder-command]
appears-in = 4.1
comment1 = Keep a buffer of the last 5 minutes of events, emitting events in ascending time order after
the events are more than 5 minutes old. Newly received events that are older than 5 minutes
are discarded if an event after that time has already been emitted.
description = The rtorder command creates a streaming event buffer that takes input events, stores them
in the buffer in ascending time order. The events are emitted in that order from the
buffer only after the current time reaches at least the span of time given by buffer_span
after the timestamp of the event. The buffer_span is by default 10 seconds.
Events are emitted from the buffer if the maximum size of the buffer is exceeded.
The default max_buffer_size is 50000, or the max_result_rows setting of the [search]
stanza in the limits.conf file. If an event is received as input that is earlier
than an event that has been emitted previously, that out of order event is emitted
immediately unless the discard option is set to true (it is false by default).
When discard is set to true, out of order events are discarded, assuring that the
output is always strictly in time ascending order.
example1 = ... | rtorder discard=t buffer_span=5m
maintainer = steveyz
related = sort
shortdesc = Buffers events from real-time search to emit them in ascending time order when possible.
syntax = rtorder (discard=<bool>)? (buffer_span=<span-length>)? (max_buffer_size=<int>)?
tags = realtime sort order
usage = public
[runshellscript-command]
category = search::external
description = Internal command used to execute scripted alerts. The script file needs to be located
in either $SPLUNK_HOME/etc/system/bin/scripts OR $SPLUNK_HOME/etc/apps/<app-name>/bin/scripts.
The search id is used to create a path to the search's results. All other args are passed to the
script (unvalidated) as follows: \i\
$0 = scriptname \i\
$1 = number of events returned \i\
$2 = search terms \i\
$3 = fully qualified query string \i\
$4 = name of saved splunk \i\
$5 = trigger reason (i.e. "The number of events was greater than 1") \i\
$6 = link to saved search \i\
$7 = DEPRECATED - empty string argument \i\
$8 = file where the results for this search are stored(contains raw results)
maintainer = ledion
optout-in = lite, lite_free
related = script
shortdesc = Internal command used to execute scripted alerts.
syntax = runshellscript <script-filename> <result-count> <search-terms> <search-string> <savedsearch-name> <description> <results-url> <deprecated-arg> <search-id>
usage = internal
[savedsearch-command]
alias = macro, savedsplunk
appears-in = 3.0
category = results::generate
comment1 = Run the searchindex command with an index provided (as per above)
commentcheat = Run the "mysecurityquery" saved search.
description = Runs a saved search.
If the search contains replacement terms, will perform string replacement.
For example, if the search were something like "index=$indexname$", then
the indexname term can be provided at invocation time of the savedsearch command.
example1 = | savedsearch searchindex index=main
examplecheat = | savedsearch mysecurityquery
maintainer = brian
related = search
shortdesc = Runs a saved search by name.
syntax = savedsearch <string> (<savedsearch-opt> )*
tags = search macro saved bookmark
usage = public
[savedsearch-identifier]
description = The unique identifier of a savedsearch whose artifacts need to be loaded. A savedsearch
is uniquely identified by the triplet {user, application, savedsearch name}.
example = savedsearch="admin:search:my saved search"
syntax = savedsearch="<user-string>:<application-string>:<search-name-string>"
[savedsearch-macro-opt]
default = nosubstitution=false
description = If true, no string substitution replacements are made.
syntax = nosubstitution=<bool>
[savedsearch-opt]
syntax = <savedsearch-macro-opt>|<savedsearch-replacement-opt>
[savedsearch-replacement-opt]
description = A key value pair to be used in string substitution replacement.
syntax = <string>=<string>
[savedsplunk-specifier]
description = Search for events that would be found by specified search/splunk
syntax = (savedsearch|savedsplunk)=<string>
[savedsplunkoption]
default = none
description = Name of saved search
example1 = mysavedsearch
syntax = <string>
[script-arg]
description = An argument passed to the script.
example1 = to=bob@mycompany.com
syntax = <string>
[script-command]
alias = run
appears-in = 3.0
category = search::external
comment1 = Run the Python script "myscript" with arguments, myarg1 and myarg2; then, email the results.
description = Calls an external python program that can modify or generate search results.
Scripts must be declared in commands.conf and be located in "$SPLUNK_HOME/etc/apps/app_name/bin".
The scripts are run with "$SPLUNK_HOME/bin/python".
example1 = ... | script python myscript myarg1 myarg2 | sendemail to=david@splunk.com
maintainer = david
optout-in = lite, lite_free
shortdesc = Runs an external Python-implemented search command.
syntax = script <script-name-arg> (<script-arg> )* (<maxinputs-opt>)?
tags = script run python perl custom
usage = public
[script-name-arg]
description = The name of the scripted search command to execute, as defined in commands.conf
example1 = sendemail
syntax = <string>
[scrub-command]
appears-in = 3.X Madonna
category = formatting
comment1 = Anonymize the current search results.
description = Anonymizes the search results by replacing identifying data - usernames, IP addresses, domain names, etc. - with fictional values that maintain the same word length. For example, it may turn the string user=carol@adalberto.com into user=aname@mycompany.com. This lets Splunk users share log data without revealing confidential or personal information. By default the dictionary and configuration files found in $SPLUNK_HOME/etc/anonymizer are used. These can be overridden by specifying arguments to the scrub command. The arguments exactly correspond to the settings in the stand-alone "splunk anonymize" command, and are documented there. Anonymizes all attributes, exception those that start with "_" (except "_raw") or "date_", or the following attributes: "eventtype", "linecount", "punct", "sourcetype", "timeendpos", "timestartpos".
When using alternative filenames, they must not contain paths and refer to files located in $SPLUNK_HOME/etc/anonymizer, or the optional namespace="appname" must be used to specify an app supplying the files, and they will be read from $SPLUNK_HOME/etc/app/<appname>/anonymizer.
example1 = ... | scrub
maintainer = david
shortdesc = Anonymizes the search results.
syntax = scrub (public-terms=<filename>)? (private-terms=<filename>)? (name-terms=<filename>)? (dictionary=<filename>)? (timeconfig=<filename>)? (namespace=<string>)?
tags = anonymize scrub secure private obfuscate
usage = public beta
[search-command]
appears-in = 3.x
category = search::search
comment1 = Search for events with "404" and from host "webserver1"
comment2 = Search for events with either codes 10 or 29, and a host that isn't "localhost" and an xqp that is greater than 5
commentcheat1 = Keep only search results that have the specified "src" or "dst" values.
description = If the first search command, retrieve events from the indexes, using keywords, quoted phrases, wildcards, and key/value expressions; if not the first, filter results.
example1 = 404 host="webserver1"
example2 = (code=10 OR code=29) host!="localhost" xqp>5
examplecheat1 = src="10.9.165.*" OR dst="10.9.165.8"
maintainer = ssorkin
shortdesc = Filters results using keywords, quoted phrases, wildcards, and key/value expressions.
simplesyntax = search <logical-expression>?
syntax = search <logical-expression>?
tags = search query find where filter daysago enddaysago endhoursago endminutesago endmonthsago endtime endtime eventtype eventtypetag host hosttag hoursago minutesago monthsago searchtimespandays searchtimespanhours searchtimespanminutes searchtimespanmonths source sourcetype startdaysago starthoursago startminutesago startmonthsago starttime starttimeu tag
usage = public
[search-modifier]
syntax = <index-specifier>|<sourcetype-specifier>|<host-specifier>|<source-specifier>|<savedsplunk-specifier>|<eventtype-specifier>|<eventtypetag-specifier>|<hosttag-specifier>|<tag-specifier>
[search-name-string]
description = The name of the saved search.
example = mysavedsearch
syntax = <string>
[searchoption]
default = none
description = Search to run map on.
example1 = [search starttimeu::$start$ endtimeu::$end$ source="$source$"]
syntax = <subsearch> | search=\"<string>\"
[searchtimespandays]
syntax = searchtimespandays=<int>
[searchtimespanhours]
description = The time span operators are always applied from the last time boundary set. Therefore, if an endtime operator is closest to the left of a timespan operator, it will be applied to the starttime. If you had 'enddaysago::1 searchtimespanhours::5', it would be equivalent to 'starthoursago::29 enddaysago::1'.
syntax = searchtimespanhours=<int>
[searchtimespanminutes]
syntax = searchtimespanminutes=<int>
[searchtimespanmonths]
syntax = searchtimespanmonths=<int>
[searchtxn-command]
appears-in = 4.2
category = results::group
comment1 = find all email transactions to root from david smith
description = Retrieves events matching the transactiontype
TRANSACTION-NAME with events transitively discovered by the initial
event constraint of the SEARCH-STRING. \p\
For example, given an 'email'
transactiontype with fields="qid pid" and with a search attribute of
'sourcetype="sendmail_syslog"', and a SEARCH-STRING of "to=root", searchtxn will
find all the events that match 'sourcetype="sendmail_syslog" to=root'.\p\
From those results, all the qid's and pid's are transitively used to
find further search for relevant events. When no more qid or pid
values are found, the resulting search is run\i\
'sourcetype="sendmail_syslog" ((qid=val1 pid=val1) OR ...
....(qid=valn pid=valm) | transaction name=email | search to=root'.\p\
Options:\p\
max_terms -- integer between 1-1000 which determines how many unique field values all fields can use (default=1000). Using smaller values will speed up search, favoring more recent values\p\
use_disjunct -- determines if each term in SEARCH-STRING should be OR'd on the initial search (default=true)\p\
eventsonly -- if true, only the relevant events are retrieved, but the "|transaction" command is not run (default=false)
example1 = | searchtxn email to=root from="david smith"
maintainer = david
related = transaction
shortdesc = Finds transaction events given search constraints.
syntax = searchtxn <transaction-name> (max_terms=<int>)? (use_disjunct=<bool>)? (eventsonly=<bool>)? <search-string>
tags = transaction group cluster collect gather needle winnow
usage = public
[select-arg]
description = Any value sql select arguments, per the syntax found at
http://www.sqlite.org/lang_select.html. If no "from results" is
specified in the select-arg it will be inserted it automatically.
Runs a SQL Select query against passed in search
results. All fields referenced in the select statement must be
prefixed with an underscore. Therefore, "ip" should be references as
"_ip" and "_raw" should be referenced as "__raw". Before the select
command is executed, the previous search results are put into a
temporary database table called "results". If a row has no values,
"select" ignores it to prevent blank search results.
syntax = <string>
[select-command]
alias = report
appears-in = 3.0
comment1 = Search for LOGINs, pass those results to a temporary database table "results", then perform the select operation, producing search results with two fields _ip and _url. If an event did not contain a value for _ip or _url, its row would be ignored.
comment2 = Return ip's that contain 7.
comment3 = Return ip's that start with "12" and end with "255".
description = Runs a SQL SELECT statement.
example1 = login | select _ip, _url from results
example2 = ... | select _ip from results where _ip regexp "7"
example3 = ... | select _ip from results where _ip regexp "^12.*255$"
maintainer = david
optout-in = lite, lite_free
shortdesc = The select command is deprecated. If you want to compute aggregate statistics, try using stats, chart, or timechart. If you want to filter search results, try using search or where.
syntax = select <select-arg>
usage = deprecated
[selfjoin-command]
appears-in = 3.3
category = results::filter
comment1 = Join results with itself on 'id' field.
description = Join results with itself, based on a specified field or list of fields to join on.
example1 = ... | selfjoin id
maintainer = steveyz
related = join
shortdesc = Joins results with itself.
syntax = selfjoin (<selfjoin-options>)* <field-list>
tags = join combine unite
usage = public
[selfjoin-options]
default = overwrite=true | max=1 | keepsingle=false
description = The selfjoin joins each result with other results that have the same value for the join fields. 'overwrite' controls if fields from these 'other' results should overwrite fields of the result used as the basis for the join (default=true). max indicates the maximum number of 'other' results each main result can join with. (default = 1, 0 means no limit). 'keepsingle' controls whether or not results with a unique value for the join fields (and thus no other results to join with) should be retained. (default = false)
example1 = overwrite=f
example2 = max=3
example3 = keepsingle=t
syntax = overwrite=<bool> | max=<int> | keepsingle=<int>
[sendalert-command]
appears-in = 6.3
category = alerting
comment1 = Trigger the hipchat custom alert action and pass in room and message as custom parameters.
description = Triggers the given alert action according to the custom alert actions framework. The command
gathers the configuration for the alert action (from alert_actions.conf, the saved search
and custom parameters passed via the command arguments) and performs token replacement. Then
the command determines the alert action script and arguments to run, creates the alert action
payload and executes the script, handing over the payload via STDIN to the script process.
When running the custom script the sendalert command also honors the maxtime setting from
alert_actions.conf and forcefully terminates the process if it's running longer than the
configured threshold (by default this is set to 5 minutes).
example1 = ... | sendalert hipchat param.room="SecOps" param.message="There is a security problem!"
maintainer = spuchbauer
shortdesc = Triggers the given custom alert action.
syntax = sendalert <alert_action_name> (results_link=<url>)? (results_path=<path>)? (param.<param-name>=<value>)*
tags = custom alert
usage = internal
[sendcsv-option]
default = Refer to the email.sendcsv in the alert_actions.conf file.
description = Specify whether to send the results with the email as an attached csv file or not.
syntax = sendcsv=<bool>
[sendemail-command]
appears-in = 3.0
category = alerting
comment1 = Send search results to the specified email.
comment2 = Send search results in HTML format with the subject "myresults".
description = Emails search results to the specified email addresses.
example1 = ... | sendemail to="elvis@splunk.com"
example2 = ... | sendemail to="elvis@splunk.com,john@splunk.com" content_type=html subject=myresults server=mail.splunk.com
maintainer = david
shortdesc = Emails search results to the specified email addresses.
syntax = sendemail <to-option> <from-option>? <cc-option>? <bcc-option>? <subject-option>? <message-option>? <footer-option>? <sendresults-option>? <inline-option>? <format-option>? <sendcsv-option>? <sendpdf-option>? <pdfview-option>? (<paperorientation-option>)? <papersize-option>? <priority-option>? <server-option>? <graceful-option>? <content_type-option>? <width_sort_columns-option>? <use_ssl-option>? <use_tls-option>? <maxinputs-option>? <maxtime-option>?
tags = email mail alert
usage = public
[sendpdf-option]
default = Refer to the email.sendpdf in the alert_actions.conf file.
description = Specify whether to send the results with the email as an attached PDF or not.
syntax = sendpdf=<bool>
[sendresults-option]
default = Refer to the email.sendresults in the alert_actions.conf file.
description = Determines whether the results should be included with the email.
syntax = sendresults=<bool>
[sep]
description = Specify the separator to use for output field names when multiple data series are
used along with a split-by field.
syntax = sep=<string>
[series]
description = Specifies how the data series are named. If series=relative and
<timewrap-span> is set to week, the series names look like "latest_week",
"1week_before", "2weeks_before", and so forth. If series=exact, use the time_format
argument to specify a custom format for the series names.
Defaults to relative.
syntax = relative|exact|short
[server-list]
appears-in = 3.x
default = "*"
description = A list of possibly wildcarded servers changes in the context of the differences. Try it see if it makes sense.
* - header=[true | false] : optionally you can show a header that tries to explain the diff output
* - attribute=[attribute name] : you can choose to diff just a single attribute of the results.
syntax = (<string> )*
[server-option]
default = localhost
description = If the smtp server is not local, use this to specify it.
syntax = server=<string>
[set-command]
category = search::subsearch
comment1 = Return all urls that have 404 errors and 303 errors.
commentcheat = Return values of "URL" that contain the string "404" or "303" but not both.
description = Performs two subsearches and then executes the specified set operation on the two sets of search results.
example1 = | set intersect [search 404 | fields url] [search 303 | fields url]
examplecheat = | set diff [search 404 | fields url] [search 303 | fields url]
generating = true
maintainer = david
related = append, appendcols, join, diff
shortdesc = Performs set operations on subsearches.
syntax = set (union|diff|intersect) <subsearch> <subsearch>
tags = diff union join intersect append
usage = public
[setfields-arg]
description = a key-value pair with quoted value. Standard key cleaning will be performed, ie all non-alphanumeric
characters will be replaced with '_' and leading '_' will be removed.
syntax = <string>="<string>"
[setfields-command]
appears-in = 3.2
category = fields::add
description = Sets the value of the given fields to the specified values for each event in the result set.
Missing fields are added, present fields are overwritten.
example1 = ... | setfields ip="10.10.10.10", foo="foo bar"
maintainer = ledion
note = use 'eval field="value"'
related = fillnull setfields rename
shortdesc = Sets the field values for all results to a common value.
syntax = setfields <setfields-arg>(, <setfields-arg>)*
tags = annotate set note
usage = deprecated
[shape-command]
appears-in = 4.0
category = reporting
comment1 = group each dest_ip into a separate transaction, keeping a list of all their delay values, and then calculating the shape of that dest_ip's delays. dest_ips can be subsequently be clustered by the shape of their delays.
description = Given a numeric multivalued FIELD, produce a 'shape'
attribute, describing the shape of the values, in a symbolic
representation. The symbolic representation will be at most MAXVALUES
long and have at most MAXRESOLUTION different characters. The
defaults are MAXVALUES = 5 and MAXRESOLUTION = 10, normally producing
a SHAPE value of 5 characters made up of 10 letters (a-k).
example1 = ... | fields dest_ip, delay | transaction dest_ip mvlist=true | shape delay
maintainer = david
related = anomalousvalue, cluster, kmeans, outlier
shortdesc = Produces a symbolic 'shape' attribute describing the shape of a numeric multivalued field.
syntax = shape <field> (maxvalues=<int>)? (maxresolution=<int>)?
tags = summary symbolic
usage = public
[showargs-command]
appears-in = 3.0
description = Treats the given string as a subsearch, executes that subsearch
and renders the results as an event. This is useful for debugging
subsearches.
example1 = ... | showargs [search * | top source | fields source | format]
generating = true
maintainer = steveyz
syntax = showargs <subsearch>
usage = internal
[sichart-command]
appears-in = 4.0
category = index::summary
comment1 = Compute the necessary information to later do 'chart avg(foo) by bar' on summary indexed results.
description = Summary indexing friendly versions of chart command, using the same syntax. Does not require explicitly knowing what statistics are necessary to store to the summary index in order to generate a report.
example1 = ... | sichart avg(foo) by bar
maintainer = steveyz
optout-in = lite, lite_free
related = collect, overlap, sirare, sistats, sitimechart, sitop
shortdesc = Summary indexing friendly versions of chart command.
syntax = sichart <chart-command-arguments>
tags = chart summary index summaryindex
usage = public
[sid-opt]
description = The search id of the job whose artifacts need to be loaded.
example = 1233886270.2
syntax = <string>
[single-agg]
description = A single aggregation applied to a single field (can be evaled field). No wildcards are allowed.
The field must be specified, except when using the special 'count' aggregator that applies to events as a whole.
example1 = count
example2 = avg(delay)
example3 = sum(eval(date_hour * date_minute))
note = C and COUNT are explicitly specified because they may be called without a field.
In this mode, the result is the count of results overall, or in the by-clause if specified.
simplesyntax = count|<stats-func>(<field>)
syntax = count|c|<stats-func>"("<field>|<evaled-field>")"
[sirare-command]
appears-in = 4.0
category = index::summary
comment1 = Compute the necessary information to later do 'rare foo bar' on summary indexed results.
description = Summary indexing friendly versions of rare command, using the same syntax. Does not require explicitly knowing what statistics are necessary to store to the summary index in order to generate a report.
example1 = ... | sirare foo bar
maintainer = steveyz
optout-in = lite, lite_free
related = collect, overlap, sichart, sistats, sitimechart, sitop
shortdesc = Summary indexing friendly versions of rare command.
syntax = sirare <rare-command-arguments>
tags = rare summary index summaryindex
usage = public
[sistats-command]
appears-in = 4.0
category = index::summary
comment1 = Compute the necessary information to later do 'stats avg(foo) by bar' on summary indexed results
description = Summary indexing friendly versions of stats command, using the same syntax. Does not require explicitly knowing what statistics are necessary to store to the summary index in order to generate a report.
example1 = ... | sistats avg(foo) by bar
maintainer = steveyz
optout-in = lite, lite_free
related = collect, overlap, sichart, sirare, sitop, sitimechart,
shortdesc = Summary indexing friendly versions of stats command.
syntax = sistats <stats-command-arguments>
tags = stats summary index summaryindex
usage = public
[sitimechart-command]
appears-in = 4.0
category = index::summary
comment1 = Compute the necessary information to later do 'timechart avg(foo) by bar' on summary indexed results.
description = Summary indexing friendly versions of timechart command, using the same syntax. Does not require explicitly knowing what statistics are necessary to store to the summary index in order to generate a report.
example1 = ... | sitimechart avg(foo) by bar
maintainer = steveyz
optout-in = lite, lite_free
related = collect, overlap, sichart, sirare, sistats, sitop
shortdesc = Summary indexing friendly versions of timechart command.
syntax = sitimechart <timechart-command-arguments>
tags = timechart summary index summaryindex
usage = public
[sitop-command]
appears-in = 4.0
category = index::summary
comment1 = Compute the necessary information to later do 'top foo bar' on summary indexed results.
description = Summary indexing friendly versions of top command, using the same syntax. Does not require explicitly knowing what statistics are necessary to store to the summary index in order to generate a report.
example1 = ... | sitop foo bar
maintainer = steveyz
optout-in = lite, lite_free
related = collect, overlap, sichart, sirare, sistats, sitimechart
shortdesc = Summary indexing friendly versions of top command.
syntax = sitop <top-command-arguments>
tags = top summary index summaryindex
usage = public
[slc-option]
description = Options for configuring the simple log clusters.
"T=" sets the threshold which must be > 0.0 and < 1.0. The closer the threshold is to 1, the more similar events have to be in order to be considered in the same cluster. Default is 0.8
"delims" configures the set of delimiters used to tokenize the raw string. By default everything except 0-9, A-Z, a-z, and '_' are delimiters.
"showcount" if yes, this shows the size of each cluster (default = false)
"countfield" name of field to write cluster size to if showcount=true , default = "cluster_count"
"labelfield" name of field to write cluster number to, default = "cluster_label"
"field" name of field to analyze, default = _raw
"labelonly" if true, instead of reducing each cluster to a single event, keeps all original events and merely labels with them their cluster number
"match" determines the similarity method used, defaulting to termlist. termlist requires the exact
same ordering of terms, termset allows for an unordered set of terms, and ngramset compares sets of
trigram (3-character substrings). ngramset is significantly slower on large field values and is most useful for short non-textual fields, like 'punct'
example1 = t=0.9 delims=" ;:" showcount=true countfield="SLCCNT" labelfield="LABEL" field=_raw labelonly=true
syntax = ((t=<num>)|(delims=<string>)|(showcount=<bool>)|(countfield=<field>)|(labelfield=<field>)|(field=<field>)|(labelonly=<bool>)|(match=(termlist|termset|ngramset)))
[snap-to-time]
description = In addition to the standard bin-options, the timechart command includes another
bin-option called <snap-to-time>. The <snap-to-time> is a span of each bin, based
on a relative time unit and a snap to time unit. The <snap-to-time> must include a
relative_time_unit, the @ symbol, and a snap_to_time_unit. The offset, represented
by the plus (+) or minus (-) is optional. If the <time_integer> is not specified,
1 is the default. For example if you specify w as the relative_time_unit,
1 week is assumed. This option is used only with week time units. It cannot be
used with other time units such as minutes or quarters.
syntax = [+|-] [<time_integer>] <relative_time_unit>@<snap_to_time_unit>
[sort-by-clause]
description = List of fields to sort by and their sort order (ascending or descending)
example1 = _time, -host
example2 = - time, host
example3 = -size, +source
simplesyntax = ("-"|"+")<sort-field> ","
syntax = ("-"|"+")?( )?<sort-field> ","?
[sort-command]
appears-in = 3.0
category = results::order
comment1 = Sort results by the "_time" field in ascending order and then by the "host" value in descending order.
comment2 = Sort first 100 results in descending order of the "size" field and then by the "source" value in ascending order.
commentcheat = Sort results by "ip" value in ascending order and then by "url" value in descending order.
description = Sorts by the given list of fields. If more than one field is specified,
the first denotes the primary sort order, the second denotes the secondary, etc.
If the fieldname is immediately (no space) preceded by "+", the sort is ascending (default).
If the fieldname is immediately (no space) preceded by "-", the sort is descending.
If white space follows "+/-", the sort order is applied to all following fields without a different explicit sort order.
Also a trailing "d" or "desc" causes the results to be reversed.
Results missing a given field are treated as having the smallest or largest
possible value of that field if the order es descending or ascending respectively.
If the field takes on numeric values, the collating sequence is numeric.
If the field takes on IP address values, the collating sequence is for IPs.
Otherwise, the collating sequence is lexicographic ordering.
If the first term is a number, then at most that many results are returned (in order).
If no number is specified, the default limit of 10000 is used. If number is 0, all results will be returned.
example1 = ... | sort _time, -host
example2 = ... | sort 100 -size, +source
examplecheat = ... | sort ip, -url
maintainer = steveyz
related = reverse
shortdesc = Sorts search results by the specified fields.
simplesyntax = sort (<int:count>)? <sort-by-clause>+ desc?
syntax = sort (<int>)? <sort-by-clause>+ (d|desc)?
tags = arrange, order, rank, sort
usage = public
[sort-field]
description = a sort field may be a field or a sort-type and field. sort-type can be "ip" to interpret
the field's values as ip addresses. "num" to treat them as numbers, "str" to order lexigraphically,
and "auto" to make the determination automatically. If no type is specified, it is assumed to be "auto"
example1 = auto(size)
example2 = ip(source_addr)
example3 = str(pid)
example4 = host
example5 = _time
syntax = <field> | ((auto|str|ip|num) "(" <field> ")")
[source-specifier]
description = Search for events from the specified source
syntax = source(=|!=)<string>
[sourcetype-specifier]
description = Search for events from the specified sourcetype
syntax = sourcetype(=|!=)<string>
[span-length]
comment1 = set span to 10 seconds
comment2 = set span to 2 days
comment3 = set span to 5 minutes
description = Span of each bin.
If using a timescale, this is used as a time range.
If not, this is an absolute bin "length."
example1 = 10
example2 = 2d
example3 = 5m
syntax = <int>(<timescale>)?
[sparkline-agg]
description = A sparkline specifier, which takes the first argument of a aggregation function on a field,
optionally followed by a timespan specifier. If no timespan specifier is used, an appropriate
timespan is chosen based on the time range of the search. If the sparkline is not scoped to a field,
only the count aggregator is permitted.
example1 = sparkline(count)
example2 = sparkline(count(source))
example3 = sparkline(dc(source)) by sourcetype
example4 = sparkline(dc(source),5m) by sourcetype
syntax = sparkline "(" count ("," <span-length> )? ")" | sparkline "(" <sparkline-func> "(" <wc-field> ")" ( "," <span-length> )? ")"
[sparkline-agg-term]
description = A sparkline specifier optionally renamed to a new field name.
example1 = sparkline(count(user))
example2 = sparkline(dc(device)) AS numdevices
syntax = <sparkline-agg> (as <wc-field>)?
[sparkline-func]
description = Aggregation function to use to generate sparkline values. Each sparkline value is produced by applying
this aggregation to the events that fall into each particular time bucket
syntax = c|count|dc|mean|avg|stdev|stdevp|var|varp|sum|sumsq|min|max|range
[spath-command]
appears-in = 4.3
category = fields::add
description = When called with no path argument, spath extracts all fields from the
first 5000 (limit is configurable via limits.conf characters, with the produced fields named by their path.
If a path is provided, the value of this path is extracted to a field
named by the path by default, or to a field specified by the output
argument if it is provided.
Paths are of the form 'foo.bar.baz'. Each level can also have an
optional array index, delineated by curly brackets ex 'foo{1}.bar'.
All array elements can be represented by empty curly brackets e.g. 'foo{}'.
The final level for XML queries can also include an attribute name,
also enclosed by curly brackets, e.g. 'foo.bar{@title}'.
By default, spath takes the whole event as its input. The input
argument can be used to specify a different field for the input source.
example1 = ... | spath output=myfield path=foo.bar.baz
example2 = ... | spath input=oldfield output=newfield path=catalog.book{@id}
example3 = ... | spath server.name
maintainer = aneels
related = rex, regex
shortdesc = Extracts values from structured data (XML or JSON) and stores them in a field or fields.
syntax = spath (output=<field>)? (path=<datapath> | <datapath>)? (input=<field>)?
tags = spath xpath json xml extract
usage = public
[split-by-clause]
description = Specifies a field to split by. If field is numerical, default discretization is applied.
note = Discretization is specified by the tc-option.
syntax = <field> (<tc-option> )* (<where-clause>)?
[splunk-server-group-opt]
description = Optional, argument specifies whether or not to limit results to one specific server_group. Repeatable.
syntax = splunk_server_group=<string>
[splunk-server-group-option]
description = Optional, argument specifies whether or not to limit results to one specific server_group.
syntax = splunk_server_group=<string>
[splunk-server-opt]
description = Optional, argument specifies whether or not to limit results to one specific server. Use "local" to refer to the search head
syntax = splunk_server=<string>
[splunk-server-option]
description = Optional, argument specifies whether or not to limit results to one specific server. Use "local" to refer to the search head
syntax = splunk_server=<string>
[srcfields]
description = Fields should either be key names or quoted literals
syntax = (<field>|<double-quoted-string>) (<field>|<double-quoted-string>) (<field>|<double-quoted-string> )*
[start-opt]
default =
description = A search or eval filtering expression which if satisfied by an event marks the beginning of a new transaction
example1 = startswith="login"
example2 = startswith=(username=foobar)
example3 = startswith=eval(speed_field < max_speed_field)
example4 = startswith=eval(speed_field < max_speed_field/12)
syntax = startswith=<transam-filter-string>
[startdaysago]
description = A short cut to set the start time. starttime = now - (N days)
syntax = startdaysago=<int>
[starthoursago]
description = A short cut to set the start time. starttime = now - (N hours)
syntax = starthoursago=<int>
[startminutesago]
description = A short cut to set the start time. starttime = now - (N minutes)
syntax = startminutesago=<int>
[startmonthsago]
description = A short cut to set the start time. starttime = now - (N months)
syntax = startmonthsago=<int>
[starttime]
description = Events must be later or equal to this time. Must match time format.
syntax = starttime=<string>
[starttimeu]
description = Set the start time to N seconds since the epoch. ( unix time )
syntax = starttimeu=<num>
[stats-agg]
comment3 = applies to both delay and xdelay
comment4 = count of events where sourcetype has the value "splunkd". The { must immediately follow the (
description = A specifier formed by a aggregation function applied to a field or set of fields.
As of 4.0, it can also be an aggregation function applied to a arbitrary eval expression.
The eval expression must be wrapped by "eval(" and ")".
If no field is specified in the parenthesis,
the aggregation is applied independently to all fields,
and is equivalent to calling a field value of *
When a numeric aggregator is applied to a not-completely-numeric field
no column is generated for that aggregation.
example1 = avg(kbps)
example2 = max(size)
example3 = stdev(*delay)
example4 = count(eval(sourcetype="splunkd"))
syntax = <stats-func>( "(" ( <evaled-field> | <wc-field> )? ")" )?
[stats-agg-term]
description = A statistical specifier optionally renamed to a new field name.
example1 = avg(kbps)
example2 = count(device) AS numdevices
syntax = <stats-agg> (as <wc-field>)?
[stats-c]
description = The count of the occurrences of the field.
simplesyntax = count
syntax = c|count
[stats-command]
appears-in = 3.0
category = reporting
commentcheat1 = Remove duplicates of results with the same "host" value and return the total count of the remaining results.
commentcheat2 = Return the average for each hour, of any unique field that ends with the string "lay" (for example, delay, xdelay, relay, etc).
commentcheat3 = Search the access logs, and return the number of hits from the top 100 values of "referer_domain".
description = Calculate aggregate statistics over the dataset, optionally grouped by a list of fields.
Aggregate statistics include: \i\
* count, distinct count \i\
* mean, median, mode \i\
* min, max, range, percentiles \i\
* standard deviation, variance \i\
* sum \i\
* earliest and latest occurrence \i\
* first and last (according to input order into stats command) occurrence \p\
Similar to SQL aggregation.
If called without a by-clause, one row is produced, which represents the
aggregation over the entire incoming result set. If called with a
by-clause, one row is produced for each distinct value of the by-clause.
The 'partitions' option, if specified, allows stats to partition the
input data based on the split-by fields for multithreaded reduce.
The 'allnum' option, if true (default = false), computes numerical statistics on each
field if and only if all of the values of that field are numerical.
The 'delim' option is used to specify how the values in the 'list' or 'values' aggregation are delimited. (default is a single space)
When called with the name "prestats", it will produce intermediate results (internal).
example1 = sourcetype=access* | stats avg(kbps) by host
example2 = sourcetype=access* | top limit=100 referer_domain | stats sum(count)
examplecheat1 = ... | stats distinct_count(host)
examplecheat2 = ... | stats avg(*lay) BY date_hour
examplecheat3 = sourcetype=access_combined | top limit=100 referer_domain | stats sum(count)
maintainer = steveyz
note = When called without any arguments, stats assumes the argument "default(*)".
This produces a table with the cross-product of aggregator and field as columns,
And a single row with the value of that aggregator applied to that field across all data.
related = eventstats, rare, sistats, streamstats, top
shortdesc = Provides statistics, grouped optionally by field.
simplesyntax = stats (((c|count|dc|distinct_count|estdc|estdc_error|earliest|latest|avg|stdev|stdevp|var|varp|sum|min|max|mode|median|first|last|earliest|latest|percint|list|values|range) "(" <field> ")") (as <field>)? )+ (by <field-list>)?
supports-multivalue = true
syntax = stats <stats-command-arguments>
tags = stats statistics event sparkline count dc mean avg stdev var min max mode median
usage = public
[stats-command-arguments]
description = See stats-command description.
syntax = (partitions=<num>)? (allnum=<bool>)? (delim=<string>)? (<stats-agg-term> | <sparkline-agg-term>)* (<by-clause>)?
[stats-dc]
description = The count of distinct values of the field.
simplesyntax = distinct_count
syntax = dc|distinct_count
[stats-earliest]
description = Returns the chronologically earliest seen occurrence of a value of the field.
syntax = earliest
[stats-earliest-time]
description = Returns the epoch time of the chronologically earliest seen occurrence of a value of the field.
syntax = earliest_time
[stats-estdc]
description = The estimated count of the distinct values of the field.
syntax = estdc
[stats-estdc-error]
description = The theoretical error of the estimated count of the distinct values of the field, where the error represents a ratio of abs(estimate_value - real_value)/real_value
syntax = estdc_error
[stats-first]
description = The first seen value of the field.
note = In general the first seen value of the field is
the chronologically most recent instance of this field.
syntax = first
[stats-func]
description = Statistical aggregators.
syntax = <stats-c>|<stats-dc>|<stats-mean>|<stats-stdev>|<stats-var>|<stats-sum>|<stats-sumsq>|<stats-min>|<stats-max>|<stats-mode>|<stats-median>|<stats-earliest>|<stats-first>|<stats-last>|<stats-latest>|<stats-perc>|<stats-list>|<stats-values>|<stats-range>|<stats-estdc>|<stats-estdc-error>|<stats-earliest-time>|<stats-latest-time>|<stats-rate>
[stats-last]
description = The last seen value of the field.
syntax = last
[stats-latest]
description = Returns the chronologically latest seen occurrence of a value of the field.
syntax = latest
[stats-latest-time]
description = Returns epoch time of the chronologically latest seen occurrence of a value of the field.
syntax = latest_time
[stats-list]
description = List of all values of this field as a multi-value entry. Order of values reflects order of input events.
syntax = list
[stats-max]
description = The maximum value of the field (lexicographic, if non-numeric).
syntax = max
[stats-mean]
description = The arithmetic mean of the field.
simplesyntax = avg
syntax = mean|avg
[stats-median]
description = The middle-most value of the field.
syntax = median
[stats-min]
description = The minimum value of the field (lexicographic, if non-numeric).
syntax = min
[stats-mode]
description = The most frequent value of the field.
syntax = mode
[stats-perc]
description = The n-th percentile value of this field. perc<int>, p<int>, and upperperc<int> give approximate values for the integer percentile requested. The approximation algorithm we use provides a strict bound of the actual value at for any percentile. perc<int> and p<int> return a single number that represents the lower end of that range while upperperc<int> gives the approximate upper bound. exactperc<int> provides the exact value, but will be very expensive for high cardinality fields.
simplesyntax = perc<int>
syntax = (perc|p|exactperc|upperperc)<int>
[stats-range]
description = The difference between max and min (only if numeric)
syntax = range
[stats-stdev]
description = The {sample, population} standard deviation of the field.
syntax = stdev|stdevp
[stats-sum]
description = The sum of the values of the field.
syntax = sum
[stats-sumsq]
description = The sum of the square of the values of the field.
syntax = sumsq
[stats-values]
description = List of all distinct values of this field as a multi-value entry. Order of values is lexigraphical.
syntax = values
[stats-var]
description = The {sample, population} variance of the field.
syntax = var|varp
[stats=rate]
description = Returns the per second rate change of the value of the field. Requires the earliest and latest value of the field to be numerical and the earliest_time and latest_time of the field to be different.
syntax = rate
[strcat-command]
appears-in = 3.2
category = fields::add
comment1 = Add a field, address, which combines the host and port values into the format <host>::<port>.
comment2 = Add the field, comboIP, and then create a chart of the number of occurrences of the field values.
commentcheat = Add the field, comboIP, which combines the source and destination IP addresses and separates them with a front slash character.
description = Stitch together fields and/or strings to create a new field.
Quoted tokens are assumed to be literals and the rest field names.
The destination field name is always at the end.
If allrequired=t, for each event the destination field is only
written to if all source fields exist. If allrequired=f (default)
the destination field is always written and any source fields
that do not exist are treated as empty string.
example1 = ... | strcat host "::" port address
example2 = host="mailserver" | strcat sourceIP "/" destIP comboIP | chart count by comboIP
examplecheat = ... | strcat sourceIP "/" destIP comboIP
maintainer = steveyz
related = eval
shortdesc = Concatenates string values.
syntax = strcat (allrequired=<bool>)? <srcfields> <field>
tags = strcat concat string append
usage = public
[streamedcsv-command]
appears-in = 3.2
description = Internal command to test dispatch.
example1 = | streamedcsv
maintainer = ssorkin
syntax = streamedcsv (chunk=<int>)? <string>
usage = internal
[streamstats-command]
appears-in = 4.0
category = reporting
comment1 = For each event, add a count field that represent the number of events seen so far (including that event). For example, 1 for the first event, 2 for the second, and so on.
comment2 = For each event, compute the average of field foo over the last 5 events (including the current event). Similar to doing trendline sma5(foo)
comment3 = Same as example1, except that the current event is not included in the count
comment4 = Compute the average value of foo for each value of bar including only the only 5 events with that value of bar.
description = Similar to the 'eventstats' command except that only events seen before
the current event (plus that event itself if current=t, which is the default)
are used to compute the aggregate statistics that are applied to each event. \p\
The 'window' option specifies the window size, based on number of events, to
use in computing the statistics. If set to 0, the default, all previous events
and the current event are used. If the 'global' option is set to false
(default is true) and 'window' is set to a non-zero value, a separate window
is used for each group of values of the group by fields. \p\
The 'allnum' option has the same affect as for the stats and eventstats
commands. \p\
If the reset_on_change option is set to true (default is false), all
accumulated information is reset (as if no previous events have been seen)
whenever the group by fields change. Events that do not have all of the
group by fields are ignored and will not cause a reset. \p\
The reset_before and reset_after arguments use boolean eval expressions.
When these expressions evaluated on a event either before or after
(respectively) the streamstats is calculation applied, will reset the
accumulated information. The reset_after condition might reference
fields emitted by the streamstats operation itself, whereas the reset_before
condition might not. When the reset options are combined with the 'window'
option, the window is also reset (to as if no previous events have been seen)
whenever the accumulated statistics are reset.\p\
If 'time_window' is specified, the window size limited by the range of _time
values in a window. A maximum number of events in a window still applies for
a time-based window. The default maximum is set in the max_stream_window
attribute in the limits.conf file. You can lower the maximum by specifying
the 'window' option. The time_window option requires
the input events be sorted in either ascending or descending time order.
example1 = ... | streamstats count
example2 = ... | streamstats avg(foo) window=5
example3 = ... | streamstats count current=f
example4 = ... | streamstats avg(foo) by bar window=5 global=f
maintainer = steveyz
related = accum, autoregress, delta, eventstats, stats, streamstats, trendline
shortdesc = Adds summary statistics to all search results in a streaming manner.
syntax = streamstats (reset_on_change=<bool>)? (reset_before="("<eval-expression>")")? (reset_after="("<eval-expression>")")? (current=<bool>)? (window=<int>)? (time_window=<span-length>)? (global=<bool>)? (allnum=<bool>)? (<stats-agg-term>)* (<by-clause>)?
tags = stats statistics event
usage = public
[subject-option]
default = Splunk Results
description = Specifies the subject line.
syntax = subject=<string>
[subsearch]
description = Specifies a subsearch.
example1 = [search 404 | select url]
syntax = [<string>]
tags = set union diff intersect
[subsearch-options]
description = You can specify one or more of these options.
The extendtimerange option specifies whether to include the subsearch time range
in the time range for the entire search. The default is false.
The maxtime option specifies the maximum number of seconds to run the subsearch before finalizing.
The maxout option specifies the maximum number of results to return from the subsearch.
The timeout option specifies the maximum amount of time, in seconds, to cache the subsearch results.
syntax = (extendtimerange=<bool>)? (maxtime=<int>)? (maxout=<int>)? (timeout=<int>)?
[surrounding-command]
appears-in = 3.0
description = Finds events surrounding the event specified by event-id filtered by the search keys.
example1 = | surrounding id=0:0 timeBefore=3600 timeAfter=3600 searchKeys=source::foo host::bar maxresults::50 readlevel::2 index::default
generating = true
maintainer = brian
optout-in = lite, lite_free
syntax = surrounding id=<event-id> timebefore=<int> timeafter=<int> searchkeys=<key-list> <int:maxresults> readlevel=<readlevel-int> <index-specifier>
usage = internal
[table-command]
appears-in = 4.1
category = results::filter
comment1 = Resulting table has field foo then bar then all fields that start with 'baz'
description = Returns a table formed by only the fields specified in the arguments. Columns are
displayed in the same order that fields are specified. Column headers are the field
names. Rows are the field values. Each row represents an event.
example1 = ... | table foo bar baz*
maintainer = steveyz
related = fields
shortdesc = Returns a table formed by only the fields specified in the arguments.
syntax = table <wc-field-list>
tags = fields
usage = public
[tag-specifier]
description = Search for all events that have their specified field tagged by string
syntax = tag(=|!=)<field>::<string>
usage = internal
[tagcreate-command]
appears-in = 3.0
description = Sets the tag on each fielded value.
example1 = ... | tagcreate webserver host::web
maintainer = brian
syntax = tagcreate <tag> <field-and-value-list>
usage = internal
[tagdelete-command]
appears-in = 3.0
description = Deletes the tag from each fielded value if they were tagged with tag.
example1 = ... | tagdelete webserver host::web
maintainer = brian
syntax = tagdelete <tag> <field-and-value-list>
usage = internal
[tags-command]
appears-in = 4.2
category = fields::add
comment1 = write tags for host and eventtype fields into tag::host and tag::eventtype
comment2 = write new field test that contains tags for all fields
comment3 = write tags for host and sourcetype into field test in the format host::<tag> or sourcetype::<tag>
description = Annotate the search results with tags. If there are fields specified only annotate tags for those fields otherwise look for tags for all fields. If outputfield is specified, the tags for all fields will be written to this field. Otherwise, the tags for each field will be written to a field named tag::<field>. If outputfield is specified, inclname and inclvalue control whether or not the field name and field values are added to the output field. By default only the tag itself is written to the outputfield. E.g.: (<field>::)?(<value>::)?tag
example1 = ... | tags host eventtype
example2 = ... | tags outputfield=test
example3 = ... | tags outputfield=test inclname=t host sourcetype
maintainer = steveyz
related = eval
shortdesc = Annotates specified fields in your search results with tags.
syntax = tags (outputfield=<field>)? (inclname=<bool>)? (inclvalue=<bool>)? (<field> )*
tags = tags
usage = public
[tagset-command]
appears-in = 3.0
description = Sets the tags for the fielded value to be the tag list. Other tags are deleted.
example1 = ... | tagset host::web webserver
maintainer = brian
syntax = tagset <field-and-value> <tag-list>
usage = internal
[tail-command]
appears-in = 3.2
category = results::order
commentcheat = Return the last 20 results (in reverse order).
description = Returns the last n results, or 10 if no integer is specified. The events
are returned in reverse order, starting at the end of the result set.
examplecheat = ... | tail 20
maintainer = steveyz
related = head, reverse
shortdesc = Returns the last n number of specified results.
syntax = tail (<int>)?
tags = tail last bottom trailing earliest
usage = public beta
[tc-option]
description = Timechart options for controlling the behavior of splitting by a field.
See the bin command for details about the <bin-options>.
In addition to the <bin-options>:
The usenull option controls whether or not a series is
created for events that do not contain the split-by field.
This series is labeled by the value of the nullstr option, and defaults to NULL.
The useother option specifies if a series should be added for data series not
included in the graph because they did not meet the criteria of the <where-clause>.
This series is labeled by the value of the otherstr option, and defaults to OTHER.
example1 = bins=10
example2 = usenull=f
example3 = otherstr=OTHERFIELDS
syntax = <bin-options>|(usenull=<bool>)|(useother=<bool>)|(nullstr=<string>)|(otherstr=<string>)
[time-format]
description = Use with series=exact to specify a custom name for the series.
syntax = time_format=<string>
[time-modifier]
syntax = <earliesttime><indexearliest>|<starttime>|<startdaysago>|<startminutesago>|<starthoursago>|<startmonthsago>|<starttimeu>|<latesttime>|<indexlatest>|<endtime>|<enddaysago>|<endminutesago>|<endhoursago>|<endmonthsago>|<endtimeu>|<searchtimespanhours>|<searchtimespanminutes>|<searchtimespandays>|<searchtimespanmonths>|<daysago>|<minutesago>|<hoursago>|<monthsago>
[time-opts]
syntax = (<timeformat>)? (<time-modifier> )*
[timechart-command]
appears-in = 3.0
category = reporting
commentcheat1 = Graph the average "thruput" of hosts over time.
commentcheat2 = Create a timechart of average "cpu_seconds" by "host", and remove data (outlying values) that may distort the timechart's axis.
commentcheat3 = Calculate the average value of "CPU" each minute for each "host".
commentcheat4 = Create a timechart of the count of from "web" sources by "host"
commentcheat5 = Compute the product of the average "CPU" and average "MEM" each minute for each "host"
description = Creates a chart for a statistical aggregation applied to a field against time. When
the data is split by a field, each distinct value of this split-by field is a series.
If used with an eval-expression, the split-by-clause is required. \p\
When a where clause is not provided, you can use limit and agg options to specify
series filtering. If limit=0, there is no series filtering. \p\
When specifying multiple data series with a split-by-clause, you can use sep and
format options to construct output field names.\p\
When called without any bin-options, timechart defaults to bins=300. This finds
the smallest bucket size that results in no more than three hundred distinct buckets.
example1 = ... | timechart span=5m avg(delay) by host
example2 = sourcetype=access_combined | timechart span=1m count(_raw) by product_id usenull=f
example3 = sshd failed OR failure | timechart span=1m count(eventtype) by source_ip usenull=f where count>10
examplecheat1 = ... | timechart span=5m avg(thruput) by host
examplecheat2 = ... | timechart avg(cpu_seconds) by host | outlier action=tf
examplecheat3 = ... | timechart span=1m avg(CPU) by host
examplecheat4 = ... | timechart count by host
examplecheat5 = ... | timechart span=1m eval(avg(CPU) * avg(MEM)) by host
maintainer = sorkin
note = When called without any bin-options, TIMECHART assumes bins=300 has been specified. This finds the smallest bucket size that results in no more than 300 distinct buckets.
related = bucket, chart, sitimechart
shortdesc = Creates a time series chart with corresponding table of statistics.
supports-multivalue = true
syntax = timechart <timechart-command-arguments>
tags = chart graph report count dc mean avg stdev var min max mode median per_second per_minute per_hour per_day
usage = public
[timechart-command-arguments]
description = See timechart-command description.
syntax = (sep=<string>)? (format=<string>)? (fixedrange=<bool>)? (partial=<bool>)? (cont=<bool>)? (limit=<int>)? (<stats-agg-term>)? (<bin-options> )* ( <single-agg> | <timechart-single-agg> | ( "(" <eval-expression> ")" ) )+ by <split-by-clause>
[timechart-single-agg]
description = Same as single-agg except that additional per_* functions are allowed for computing rates over time
example1 = per_second(drop_count)
syntax = (per_second|per_minute|per_hour|per_day) "(" <field>|<evaled-field> ")"
[timeformat]
default = timeformat=%m/%d/%Y:%H:%M:%S
description = Set the time format for starttime and endtime terms.
example1 = timeformat=%m/%d/%Y:%H:%M:%S
syntax = timeformat=<string>
[timeout-opt]
description = Optional, argument specifies the timeout, in seconds, when waiting for the REST endpoint to respond. Defaults to 60 seconds.
syntax = timeout=<int>
[timescale]
description = Time scale units. You can use abbreviations for the units. See the
documentation for the timewrap command in the Search Reference.
syntax = sec|min|hr|day|week|month|quarter|year
[timestamp]
comment2 = 5 days ago
example1 = 10/1/2007:12:34:56
example2 = -5
syntax = MM/DD/YYYY(:HH:MM:SS)?|<int>
[timewrap-command]
appears-in = 7.0
category = reporting
comment1 = Display a timechart that has a span of 1 day for each count in a week over
week comparison table. Each table column, which is the series, is 1 week of time.
description = Displays, or wraps, the output of timechart so that every period of time is
a different series. Use the timewrap command to compare data over specific
time period, such as day-over-day or month-over-month. You can also compare
multiple time periods, periods, such as a two week period over another
two week period. The <timewrap-span> can be any length of time including
weeks and quarters. You must use the timechart command in the search before
you use the timewrap command.
example1 = ... | timechart count span=1d | timewrap 1week
maintainer = steveyz
related = timechart
shortdesc = Displays the output of timechart so that every period of time is a different series.
syntax = timewrap <timewrap-span> (align=(now|end))? (series=(relative|exact|short)?) (time_format=<str>)?
tags = timechart
usage = public
[timewrap-span]
description = A span of each bin, based on time. If <int> is not specified, 1 is assumed.
For example, if day is specified for the <timescale>, 1day is assumed.
syntax = (<int>)<timescale>
[to-option]
description = List of email addresses to send search results to.
syntax = to=<email_list>
[top-command]
alias = common
appears-in = 3.0
category = reporting
comment1 = Return top URL values.
comment2 = Return top "user" values for each "host".
commentcheat = Return the 20 most common values of the "url" field.
description = Finds the most frequent tuple of values of all fields in the field list, along with a count and percentage.
If a the optional by-clause is provided, finds the most frequent values
for each distinct tuple of values of the group-by fields.
example1 = ... | top url
example2 = ... | top user by host
examplecheat = ... | top limit=20 url
maintainer = steveyz
related = rare, sitop, stats
shortdesc = Displays the most common values of a field.
supports-multivalue = true
syntax = top <top-command-arguments>
tags = top popular common many frequent typical
usage = public
[top-command-arguments]
description = See top-command description.
syntax = <int>? (<top-opt>)* <field-list> (<by-clause>)?
[top-opt]
description = Top arguments:
showcount: Whether to create a field called "count" (see countfield option) with the count of that tuple. (T)
showperc: Whether to create a field called "percent" (see percentfield option) with the relative prevalence of that tuple. (T)
limit: Specifies how many tuples to return, 0 returns all values. (10)
countfield: Name of new field to write count to (default is "count")
percentfield: Name of new field to write percentage to (default is "percent")
useother: If true, adds a row, if necessary, to represent all values not included
due to the limit cutoff. (default is false)
otherstr: If useother is true, the value that is written into the row representing
all other values (default is "OTHER")
syntax = (showcount=<bool>)|(showperc=<bool>)|(limit=<int>)|(countfield=<string>)|(percentfield=<string>)|(useother=<bool>)|(otherstr=<string>)
[trans-filter-eval]
default =
description = Where <eval-expression> is a valid eval expression that evaluates to a boolean.
example1 = eval(distance/time < max_speed)
syntax = eval(<eval-expression>)
[transaction-command]
alias = transam
category = results::group
comment1 = Collapse all events that share the same host and cookie value, that occur within 30 seconds, and do not have a
pause of more than 5 seconds between the events.
comment2 = Group search results that share the same value of "from", with a maximum span of 30 seconds, and a pause between events no greater than 5 seconds into a transaction.
commentcheat = Group search results that have the same "host" and "cookie", occur within 30 seconds of each other, and do not have a pause greater than 5 seconds between each event into a transaction.
description = Groups events into transactions based on various constraints, such as the beginning
and ending strings or time between events. Transactions are made up of the raw text
(the _raw field) of each member, the time and date fields of the earliest member, as
well as the union of all other fields of each member.\p\
Produces two fields to the raw events, duration and eventcount. The duration value
is the difference between the timestamps for the first and last events in the
transaction. The eventcount value is the number of events in the transaction.
example1 = ... | transaction host,cookie maxspan=30s maxpause=5s
example2 = ... | transaction from maxspan=30s maxpause=5s
examplecheat = ... | transaction host cookie maxspan=30s maxpause=5s
maintainer = ledion/david
related = searchtxn
shortdesc = Groups events into transactions.
supports-multivalue = true
syntax = transaction (<field-list>)? (name=<transaction-name>)? (<txn_definition-opt>)* (<memcontrol-opt>)* (<rendering-opt>)*
tags = transaction group cluster collect gather
usage = public
[transaction-name]
default =
description = The name of a transaction definition from transactions.conf to be used for finding transactions.
If other arguments (e.g., maxspan) are provided as arguments to transam, they overrule the value
specified in the transaction definition.
example1 = purchase_transaction
syntax = <string>
[transam-filter-search-noquotes]
default =
description = Where <logical-expression> is a valid search expression that does not contain quotation marks inside the expression. The <logical-expression> must be surrounded by quotation marks.
example1 = "user=mildred"
syntax = "<logical-expression>"
[transam-filter-search-quotes]
default =
description = Where <logical-expression> is a valid search expression. The <logical-expression> can contain quotes as part of the expression. The <logical-expression> must be enclosed in parenthesis.
example1 = (name="foo bar")
example2 = (username=foobar)
example3 = ("search literal")
syntax = (<logical-expression>)
[transam-filter-string]
description = Alternatives for the search or eval expression strings used with the <transam-filter-string> argument
syntax = <transam-filter-search-noquotes> | <transam-filter-search-quotes> | <transam-filter-eval>
[translatetoxy]
description = If true, geostats produces one result per each binned location for rendering on a
map. If false, geostats produces one result per category per binned location and
cannot be rendered on a map. Defaults to true.
syntax = translatetoxy=<bool>
[transpose-command]
appears-in = 3.x
category = reporting
comment1 = Turns the first five rows into columns
comment2 = Turns the first 20 rows into columns
comment3 = Turns the first five rows into columns, where the input field names are put into the output field called "Test Name", and the input row values for the sourcetype field will be used as the output field names.
description = Turns rows into columns (each row becomes a column). Takes an optional integer argument that limits the number of rows we transpose (default = 5). column_name is the name of the field in the output where the names of the fields of the inputs will go (default = "column"). header_field, if provided, will use the value of this field in each input row as the name of the output field for that column (default = no field provided, output fields will be named "row 1", "row 2", ...). include_empty is an optional boolean option, that if false, will exclude any field/column in the input that had no values for any row (defaults = true).
example1 = ... | transpose
example2 = ... | transpose 20
example3 = ... | transpose column_name="Test Name" header_field=sourcetype include_empty=false
maintainer = steveyz
related = fields, stats
shortdesc = Turns rows into columns.
syntax = transpose (<int>)? (column_name=<string>)? (header_field=<field>)? (include_empty=<bool>)?
tags = fields, stats
usage = public
[trend_type]
description = The type of trend to compute which consist of a trend type and trend period (integer between 2 and 10000)
example1 = sma10
syntax = (sma|ema|wma)<int>
[trendline-command]
appears-in = 4.0
category = reporting
comment1 = Computes a 5 event simple moving average for field 'foo' and write to new field 'smoothed_foo'.
Also computes a 10 event exponential moving average for field 'bar'. Because no AS clause is
specified, writes to the field 'ema10(bar)'.
description = Computes the moving averages of fields. Current supported trend_types include
simple moving average (sma), exponential moving average(ema), and weighted moving average(wma)
The output is written to a new field where the new field name can be explicitly specified or
by default it is simply the trend_type + field.
example1 = ... | trendline sma5(foo) AS smoothed_foo ema10(bar)
maintainer = steveyz
related = accum, autoregress, delta, streamstats, trendline
shortdesc = Computes the moving averages of fields.
syntax = trendline (<trend_type>"("<field>")" (as <field>)?)+
tags = average mean
usage = public
[ts-day]
description = Time scale in days.
simplesyntax = days
syntax = d|day|days
[ts-hr]
description = Time scale in hours.
simplesyntax = hours
syntax = h|hr|hrs|hour|hours
[ts-min]
description = Time scale in minutes.
simplesyntax = minutes
syntax = m|min|mins|minute|minutes
[ts-month]
description = Time scale in months.
simplesyntax = months
syntax = mon|month|months
[ts-sec]
description = Time scale in seconds.
simplesyntax = seconds
syntax = s|sec|secs|second|seconds
[ts-subseconds]
description = Time scale in microseconds("us"), milliseconds("ms"),
centiseconds("cs"), or deciseconds("ds")
syntax = us|ms|cs|ds
[tscollect-command]
appears-in = 5.0
category = reporting
comment1 = Write the results table to tsidx files in namespace foo.
comment2 = Write the values of field foo for the events in the main index to tsidx files in the job directory.
description = Writes the result table into *.tsidx files, for later use by tstats command.
Only non-internal fields and values are written to the tsidx files.
squashcase is false by default; if true, the field *values* are converted
to lowercase when writing them to the *.tsidx files. If namespace is provided,
the tsidx files are written to a directory of that name under the main tsidx
stats directory. These namespaces can be written to multiple times to add new
data. If namespace is not provided, the files are written to a directory within
the job directory of that search, and will live as long as the job does.
If keepresults is set to true, tscollect will output the same results it received
as input. By default this is false, and only emits a count of results processed (this
is more efficient as we do not need to store as many results).
The 'indexes_edit' capability is required to run this command.
example1 = ... | tscollect namespace=foo
example2 = index=main | fields foo | tscollect
maintainer = dmarquardt
optout-in = lite, lite_free
related = tstats
shortdesc = Writes the result table into *.tsidx files using indexed fields format.
syntax = tscollect (namespace=<string>)? (squashcase=<bool>)? (keepresults=<bool>)?
tags = tscollect tsidx projection
usage = internal
[tstats-command]
appears-in = 5.0
category = reporting
comment1 = Gets the count of all events in the mydata namespace
comment2 = Returns the average of field foo in mydata where bar is specifically 'value2' and the value of baz is greater than 5.
comment3 = Gives the count by source for events with host=x
comment4 = Gives a timechart of all the data in your default indexes with a day granularity
comment5 = Gives the median of field foo from mydata
comment6 = Uses prestats mode in conjunction with append to compute the median values of foo and bar, which are in different namespaces
description = Performs statistical queries on indexed fields in tsidx files. You can select from TSIDX data in several different ways: \p\
1. Normal index data: If you do not supply a FROM clause, we will select from index data in the same way as search. You are restricted to selecting
from your allowed indexes by role, and you can control exactly which indexes you select from in the WHERE clause. If no indexes are mentioned
in the WHERE clause search, we will use your default set of indexes. By default, role-based search filters are applied, but can be turned off in limits.conf. \p\
2. Data manually collected with 'tscollect': Select from your namespace with 'FROM <namespace>'. If you supplied no namespace to tscollect, the data
was collected into the dispatch directory of that job. In that case, you would select from that data with 'FROM sid=<tscollect-job-id>' \p\
3. An accelerated datamodel: Select from this accelerated datamodel with 'FROM datamodel=<datamodel-name>'
You can provide any number of aggregates to perform, and also have the option of providing a filtering query using the WHERE keyword. This query looks
like a normal query you would use in the search processor. You can also provide any number of GROUPBY fields. If you are grouping by _time, you should
supply a timespan with 'span' for grouping the time buckets. This timespan looks like any normal timespan in Splunk, like '1hr' or '3d'. It also supports 'auto'. \p\
Arguments: \i\
"prestats": This simply outputs the answer in prestats format, in case you want to pipe the results to a \i\
different type of processor that takes prestats output, like chart or timechart. This is very useful for \i\
creating graphs \i\
"local": If you set this to true it forces the processor to only be run on the search head. \i\
"append": Only valid in prestats mode, this allows tstats to be run to add results to an existing set of \i\
results, instead of generating them. \i\
"summariesonly": Only applies when selecting from an accelerated datamodel. When false (default), \i\
Splunk will generate results from both summarized data, as well as for data that is not \i\
summarized. For data not summarized as TSIDX data, the full search behavior will be used \i\
against the original index data. If set to true, 'tstats' will only generate results from the \i\
TSIDX data that has been automatically generated by the acceleration, and nonsummarized data \i\
will not be provided. \i\
"allow_old_summaries": Only applies when selecting from an accelerated datamodel. When false \i\
(default), Splunk only provides results from summary directories when those directories are up-to-date. \i\
In other words, if the datamodel definition has changed, we do not use those summary directories \i\
which are older than the new definition when producing output from tstats. This default ensures \i\
that the output from tstats will always reflect your current configuration. If this is instead \i\
set to true, then tstats will use both current summary data as well as summary data that was \i\
generated prior to the definition change. Essentially this is an advanced performance \i\
feature for cases where you know that the old summaries are "good enough". \i\
"chunk_size": Advanced option. This argument controls how many events are retrieved at a time within \i\
a single TSIDX file when answering queries. The default is 10000000. Only consider supplying a lower \i\
value for this if you find a particular query is using too much memory. The case that could cause this \i\
would be an excessively high cardinality split-by, such as grouping by several fields that have a very \i\
large amount of distinct values. Setting this value too low, however, can negatively impact the overall \i\
runtime of your query. \p\
NOTE: Except in 'append=t' mode, this is a generating processor, so it must be the first command in a search.
example1 = | tstats count FROM mydata
example2 = | tstats avg(foo) from mydata where bar=value2 baz>5
example3 = | tstats count where host=x by source
example4 = | tstats prestats=t count by _time span=1d | timechart span=1d count
example5 = | tstats median(foo) from mydata
example6 = | tstats prestats=t median(foo) from mydata | tstats prestats=t append=t median(bar) from otherdata | stats median(foo) median(bar)
maintainer = dmarquardt
optout-in = lite, lite_free
related = tscollect
shortdesc = Performs statistics on indexed fields in tsidx files, which could come from normal index data, tscollect data, or accelerated datamodels.
syntax = tstats (prestats=<bool>)? (local=<bool>)? (append=<bool>)? (summariesonly=<bool>)? (allow_old_summaries=<bool>)? (chunk_size=<unsigned int>)? (<stats-func>)+ (FROM <string:namespace> | sid=<string:tscollect-job-id> | datamodel=<string:datamodel-name>)? (WHERE <logical-expression>)? ((by|GROUPBY) <field-list> (span=<string:timespan>)? )?
tags = tstats tsidx projection
usage = public
[txn_definition-opt]
syntax = <maxspan-opt> | <maxpause-opt> | <maxevents-opt> | <field-list> | <start-opt> | <end-opt> | <connected-opt> | <unify-ends-opt> | <keeporphans-opt>
[typeahead-command]
appears-in = 4.0
category = administrative
comment1 = Return typeahead information for sources in the "_internal" index.
description = Returns typeahead on a specified prefix. Only returns a max of "count" results, can be targeted to an index and restricted by time.
If index specifiers are provided they're used to populate the set of indexes used if no index specifiers are found in the prefix.
example1 = | typeahead prefix="index=_internal source=" count=10
generating = true
maintainer = ledion
shortdesc = Returns typeahead on a specified prefix.
syntax = typeahead <prefix-opt> <count-opt> (<max-time-opt>)? (<index-opt>)? (<starttimeu>)? (<endtimeu>)? (<collapse-opt>)?
tags = typeahead help terms
usage = public
[typelearner-command]
appears-in = 3.2
category = results::group
commentcheat = Have Splunk automatically discover and apply event types to search results
description = Takes previous search results, and produces a list of promising searches that may be used as event-types.
examplecheat = ... | typelearner
maintainer = david
related = findtypes, typer
shortdesc = Generates suggested eventtypes. Deprecated: preferred command is 'findtypes'
syntax = typelearner (<grouping-field>)? (<grouping-maxlen>)?
tags = eventtype typer discover search classify
usage = deprecated
[typer-command]
category = results::group
commentcheat = Force Splunk to apply event types that you have configured (Splunk Web automatically does this when you view the "eventtype" field).
description = Calculates the 'eventtype' field for search results that match a known event-type.
examplecheat = ... | typer
maintainer = ssorkin
related = typelearner
shortdesc = Calculates the eventtypes for the search results.
syntax = typer
tags = eventtype typer discover search classify
usage = public
[unify-ends-opt]
default = unifyends=t
description = Whether to force events that match startswith/endswith constraint to also match at least one of the
fields used to unify events into a transactions. Defaults to the same value as the "connected"
option. This means that if you set connected=false (it is true by default), then unifyends will
default to false as well.
syntax = unifyends=<bool>
[union-command]
appears-in = Kimono
category = results::append
comment1 = Merge events from index a and b and add different fields using eval in each case.
comment2 = Append the current results with the tabular results of errors.
comment3 = Search a built-in data model that is an internal server log for REST API calls and the events from index a.
description = Merges the results from two or more datasets into one dataset.
example1 = | union [search index=a | eval type = "foo"] [search index=b | eval mytype = "bar"]
example2 = ... | chart count by category1 | union [search error | chart count by category2]
example3 = | union datamodel:"internal_server.splunkdaccess" [search index=a]
maintainer = aandrade
related = multisearch, append
shortdesc = Merge multiple datasets.
syntax = union (<subsearch-options>)? <dataset> (<dataset>)*
tags = multisearch append
usage = public
[uniq-command]
appears-in = 3.0
category = results::filter
comment1 = For the current search, keep only unique results.
description = Removes any search result that is an exact duplicate with the adjacent result before it.
example1 = ... | uniq
maintainer = david
related = dedup
shortdesc = Filters out repeated adjacent results.
syntax = uniq
tags = uniq unique duplicate redundant extra
usage = public
[unnamed-dataset]
syntax = <subsearch>
[untable-command]
appears-in = 4.0
category = reporting
comment1 = Reformat the search results.
description = Converts results from a tabular format to a format similar to stats output. Inverse of xyseries.
example1 = ... | timechart avg(delay) by host | untable _time host avg_delay
maintainer = steveyz
related = xyseries
syntax = untable <x-field> <y-name-field> <y-data-field>
tags = convert table
usage = public
[use_ssl-option]
default = false
description = Whether to use ssl when communicating with the smtp server. When true, you must also specify both the server name or ip address and the tcp port in the 'mailserver' attribute.
syntax = use_ssl=<bool>
[use_tls-option]
default = false
description = Specify whether to use tls when communicating with the smtp server.
syntax = use_tls=<bool>
[user-string]
description = The user name of the owner of the saved search.
example = admin
syntax = <string>
[value]
syntax = <lit-value>
[value-list]
syntax = "("<value>(,<value>)*")"
[where-clause]
description = Specifies the criteria for including particular data series when a field is given in the tc-by-clause.
This optional clause, if omitted, default to "where sum in top10".
The aggregation term is applied to each data series and the result of
these aggregations is compared to the criteria.
The most common use of this option is to select for spikes rather than overall
mass of distribution in series selection. The default value finds the
top ten series by area under the curve. Alternately one could replace sum with
max to find the series with the ten highest spikes.
example1 = where sum in top5
example2 = where count notin bottom10
example3 = where avg > 100
example4 = where max < 10
note = This has no relation to the where-command or SQLite.
syntax = where <single-agg> <where-comp>
[where-command]
appears-in = 4.0
category = results::filter
comment1 = Return "physicjobs" events with a speed is greater than 100.
comment2 = Return "CheckPoint" events that match the IP or is in the specified subnet.
description = Keeps only the results for which the evaluation was successful and the boolean result was true.
example1 = sourcetype=physicsobjs | where distance/time > 100
example2 = host="CheckPoint" | where (src LIKE "10.9.165.%") OR cidrmatch("10.9.165.0/25", dst)
maintainer = marquardt
related = eval search regex
shortdesc = Runs an eval expression to filter the results. The result of the expression must be Boolean.
syntax = where <eval-expression>
tags = where filter search
usage = public
[where-comp]
description = A criteria for the where clause.
syntax = <wherein-comp>|<wherethresh-comp>
[wherein-comp]
description = A where-clause criteria that requires the aggregated series value be in or not in some top or bottom grouping.
example1 = in top5
example2 = in bottom10
example3 = notin top2
syntax = (in|notin) (top|bottom)<int>
[wherethresh-comp]
description = A where-clause criteria that requires the aggregated series value be greater than or less than some numeric threshold.
example1 = > 2.5
example2 = < 100
syntax = (<|>)( )?<num>
[width_sort_columns-option]
default = true
description = This is only valid for plain text emails. Specifies whether the columns should be sorted by their width.
syntax = width_sort_columns=<bool>
[x-field]
description = Field to be used as the x-axis
syntax = <field>
[x11-command]
appears-in = Ace
category = reporting
description = Remove seasonal fluctuations in fields. This command has a similar purpose to the
trendline command, but is more sophisticated as it uses the industry popular X11 method.
The type option can be either 'mult' (for multiplicative) or 'add' (for additive). By default,
it's 'mult'. The period option should be specified if known; otherwise it is automatically computed.
example1 = ... | x11 foo as fubar
example2 = ... | x11 24(foo) as fubar
example3 = ... | x11 add12(foo) as fubar
maintainer = nghi
related = trendline
shortdesc = Remove seasonal fluctuations in fields.
syntax = x11 <x11-func>"("<fieldname>")" (as <newname>)?
tags = x11 deseasonal seasonal
usage = public
[x11-func]
example1 = mult12
example2 = 12
example3 = add
syntax = <x11-type>?<x11-period>?
[x11-period]
description = A integer between 5 and 1000. The period option should be specified if known; otherwise it is automatically computed.
syntax = <int>
[x11-type]
default = mult
description = Type option 'mult' (for multiplicative) or 'add' (for additive).
syntax = (mult|add)
[xmlkv-command]
appears-in = 3.x
category = fields::add
commentcheat = Extract field/value pairs from XML formatted data. "xmlkv" automatically extracts values between XML tags.
description = Finds key value pairs of the form <foo>bar</foo> where foo is the key and bar is the value from the _raw key.
example1 = ... | xmlkv maxinputs=10000
examplecheat = ... | xmlkv
maintainer = brian
related = extract, kvform, multikv, rex, xpath
shortdesc = Extracts XML key-value pairs.
syntax = xmlkv <maxinputs-opt>
tags = extract xml
usage = public
[xmlunescape-command]
appears-in = 3.x
category = formatting
commentcheat = Un-escape all XML characters.
description = Un-escapes XML entity references (for: &, <, and >) back to their corresponding characters (e.g., "&amp;" -> "&").
examplecheat = ... | xmlunescape
maintainer = brian
shortdesc = Un-escapes XML characters.
syntax = xmlunescape <maxinputs-opt>
tags = unescape xml escape
usage = public
[xpath-command]
appears-in = Madonna
category = fields::add
comment1 = pull out the name of a book from xml, using the relative path of //book
comment2 = pull out the name of a book from xml, using the full path of /data/book
description = Sets the value of OUTFIELD to the value of the XPATH applied to FIELD. If no value could be set, the DEFAULT value is set. FIELD defaults to "_raw"; OUTFIELD, to "xpath"; and DEFAULT, to not setting a default value. The field value is wrapped in a "<data>...</data>" tags so that the field value is a valid xml, even if it contains some none xml.
example1 = sourcetype="books.xml" | xpath "//book/@name" outfield=name
example2 = sourcetype="books.xml" | xpath "/data/book/@name" outfield=name
maintainer = david
related = extract, kvform, multikv, rex, xmlkv
shortdesc = Extracts the xpath value from FIELD and sets the OUTFIELD attribute.
syntax = xpath <string:xpath> (field=<field>)? (outfield=<field>)? (default=<string>)?
tags = xml extract
usage = public
[xyseries-command]
alias = maketable
appears-in = 3.0
category = reporting
comment1 = Reformat the search results.
description = Converts results into a format suitable for graphing. If multiple
y-data-fields are specified, each column name is the
the y-data-field name followed by the sep string (default is ": ")
and then the value of the y-name-field it applies to.
If the grouped option is set to true (false by default),
then the input is assumed to be sorted by the value of the
<x-field> and multi-file input is allowed.
example1 = ... | xyseries delay host_type host
maintainer = steveyz
related = untable
shortdesc = Converts results into a format suitable for graphing.
syntax = xyseries (grouped=<bool>)? <x-field> <y-name-field> (<y-data-field>)+ (sep=<string>)? (format=<string>)?
tags = convert graph
usage = public
[y-data-field]
description = Field that contains the data to be charted
syntax = <field>
[y-name-field]
description = Field that contains the values to be used as data series labels
syntax = <field>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment