CLI commands for starting, stopping, status, etc.

Manage Splunk processes splunk [start | stop | restart]

Start and automatically accept the license
splunk start –-accept-license
without prompt
Enable or boot start on Linux where xyz is the
splunk enable boot-start -user xyz
name of the user account. The emable
command must be run as root splunk display boot-start
Displaying boot-status does not require root
splunk help
splunk help cluster
Display a usage summary for help, plus various
splunk help shcluster
other help options splunk help add
splunk help show
Splunk version splunk version
Splunk running status splunk status
splunk show web-port
Splunk Web port
splunk set web-port port#
splunk show splunkd-port
Splunk management (splunkd) port
splunk set splunkd-port port#
splunk show appserver-ports
Splunk App Server ports
splunk set appserver-ports port#
splunk show kvstore-port
Splunk KV store port
splunk set kvstore-port port#
splunk show servername
Splunk server name
splunk set servername name
splunk show default-hostname
Default host name
splunk set default-hostname name
Show the guid of this instance splunk show guid
Create a diag file for Support splunk diag
Use help to see options for uploading, etc. splunk help diag

CLI commands for licensing

On the master license server, add a new license splunk add licenses \
absolutepathtolicensefile

On the master license server, list the licenses splunk list licenses

Make this instance a license slave of a master splunk edit licenser-localslave \

-master_uri https://Lic_Master:port

List license status of this instance splunk list licenser-localslave

List all license slaves splunk list licenser-slaves

(run on license master)

List any license alerts or warnings splunk list licenser-messages

List current license groups splunk list licenser-groups

Copyright © 2017 Splunk, Inc. All rights reserved

Change the active license group splunk edit licenser-groups group \
(e.g., to change to Forwarder group) -is_active 1

CLI commands for general administration

Create a user splunk add user name \
-password "password" \
-full-name 'User Name' -role role_name

Change a user's password splunk edit user name \

–password newpassword

Remove a user splunk remove user name

Create a role splunk add role role_name \

-imported other_role_name

On a search head, add a distributed search peer splunk add search-server peer:port \
-remoteUsername user -remotePassword pass

On a search head, quarantine a search peer to splunk edit search-server peer:port \

stop sending it search requests -action [quarantine|unquarantine]

Display information about the search job splunk show scheduler-status

scheduler (run on search head)

Move search jobs from dispatch directory based splunk cmd splunkd clean-dispatch
on the last modification time of the job; dest_directory mod_time
Example:
mod_time is a relative time in SPL format splunk cmd splunkd clean-dispatch /tmp/jobs/ -7d@d

CLI commands for inputs

Set up an input splunk add monitor file_or_dir
There are many options; some are required splunk add tcp port
splunk add udp port
[Note: exec is scripted input
splunk add exec script_to_run
oneshot is a batch input] splunk add oneshot file_or_dir

Show the automatic sourcetype that Splunk will splunk test sourcetype file_to_test
assign to this input

Identify what Splunk is monitoring: splunk list monitor

files and directories splunk list wmi
splunk list eventlog
local and remote event logs, perfmon
splunk list perfmon
status of inputs splunk list inputstatus
splunk list exec

CLI commands for indexes

Create an index splunk add index indexName

Remove all data from an index splunk clean eventdata \

(run on indexer) [ -index indexName ]

Remove all data from the kvstore splunk clean kvstore \

–collection collection_name
Copyright © 2017 Splunk, Inc. All rights reserved
Remove the file pointer for a particular source splunk cmd btprobe –d \
from the fishbucket, so the file will be re-indexed SPLUNK_HOME/var/lib/splunk/
fishbucket/splunk_private_db \
--file source --reset

Recreate the idx files for a bucket splunk rebuild path_to_bucket

Reload the index configurations splunk reload index

When using data integrity: check an index splunk check-integrity \

-index indexName verbose
When using data integrity: check a bucket splunk check-integrity \
-bucketPath path_to_bucket verbose
When using data integrity: regenerate hash files splunk generate-hash-files \
(either for a bucket or for an entire index) -bucketPath path_to_bucket
splunk generate-hash-files \
-index indexName
CLI commands for apps
Install an app from the named file on the server splunk install app appfile

Package an app splunk package app appname

Shows the status of an app, whether it is splunk display app appfolder

installed or not, enabled/disabled, or
visible/invisible

Remove an installed app from this server splunk remove app appfolder

Create a new (empty) app, where the template splunk create app appname \
can be barebones or sample_app –template template_name

CLI commands for debugging

Display the merged on-disk configurations for a splunk show config conf_name
configuration type (e.g. inputs)

Check or display the configs for a type splunk btool check

(see more information on btool at the end of this
splunk btool conf_name list [ --debug ]
document)

Display the status of an app splunk display app appdirname

Test your regular expression splunk cmd pcregextest

(see example at end of this document)

CLI commands for forwarding/receiving and deployment server

Sets a receiving port rport (run on indexer) splunk enable listen rport

On an indexer, shows all configured receiving splunk display listen

ports

Forward inputs to the indexer (idx) that is splunk add forward-server idx:rport
listening on port rport (run on forwarder)

Copyright © 2017 Splunk, Inc. All rights reserved

On a forwarder, show where it is sending inputs splunk list forward-server

On a forwarder, remove a configured target splunk remove forward-server idx:rport

indexer

On any non-clustered instance, set the instance splunk set deploy-poll dserver:port
to use the deployment server (dserver)

On any instance, check its deployment splunk show deploy-poll

client/server status; deploy-poll shows the splunk display deploy-server
splunk display deploy-client
server:port that the client is contacting

On the deployment server, list all clients splunk list deploy-clients

On the deployment server, reexamine all splunk reload deploy-server

deployment apps

CLI commands for indexer clustering

Single Site
Make this instance a cluster master
Make this indexer a cluster peer
Give this search head the ability to search a
cluster
Give this search head the ability to search an
additional cluster
Edit an existing search head configuration for a
particular cluster
Restart all peers from the master
splunk edit cluster-config \
-mode master -replication_factor 2 \
-search_factor 2 -secret mycluster
splunk edit cluster-config -mode slave \
-master_uri https://master:port \
-secret mycluster -replication_port 9000
splunk edit cluster-config \
-mode searchhead \
-master_uri https://master:port \
-secret mycluster
splunk add cluster-master \
-master_uri https://master:port \
-secret cluster2
splunk edit cluster-master \
-master_uri https://master:port \
-secret cluster2 -otheroptions
splunk rolling-restart cluster-peers

Multisite
Make this instance a cluster master of a splunk edit cluster-config \
multisite cluster -mode master -multisite true \
-site site1 \
-available_sites site1,site2 \
-site_replication_factor origin:1,total:2
\
-site_search_factor origin:1,total:2 \
-secret mycluster
Make this indexer a cluster peer in a multisite splunk edit cluster-config \
cluster -master_uri https://master:port \
-mode slave -site site1 \
-replication_port port -secret mycluster

Copyright © 2017 Splunk, Inc. All rights reserved

Give this search head the ability to search a
multi-site cluster
Restart all peers from the master
(site by site is optional)
General Indexer Cluster Commands
Put cluster in maintenance mode (run on
master)
Stop this peer gracefully. With enforced counts,
takes peer offline permanently, otherwise peer
must restart within 60 seconds.
Change percent of peers that restart at once in a splunk edit cluster-config \
rolling restart [default is 10]
Change the length of time before an offlined
peer must restart
Replicate report acceleration and data model
acceleration summaries (run on master)
Assign a label to all the search heads and peers
that are part of this cluster (run on master)
Apply cluster-master apps to all peers
(run on master)
Show status of bundle deployment
(run on master)
Undo the last cluster bundle and return to
previous state (run on master)
Show cluster status (run on master)
Remove offline peers entirely from the cluster
(run on master)
List excess buckets
Remove excess buckets
Allow searching to begin before RF is met (run
on master)
Run diag from the cluster master
Rebalance primaries (see also REST
ENDPOINTS at end of document)
Copyright © 2017 Splunk, Inc. All rights reserved
splunk edit cluster-config \
-mode searchhead –multisite true \
-master_uri https://master:port \
-site site1 -secret mycluster
splunk rolling-restart cluster-peers \
[ -site-by-site true
-site-order site2,site1,site3 ]
splunk [ enable | disable | show ] \
maintenance-mode
splunk offline [--enforce-counts]
-percent_peers_to_restart 100
splunk edit cluster-config \
-restart_timeout seconds
splunk edit cluster-config \
-summary_replication true
splunk edit cluster-config \
-cluster_label label_name
splunk apply cluster-bundle
splunk show cluster-bundle-status \
[--verbose]
splunk rollback cluster-bundle
splunk show cluster-status [--verbose]
splunk remove cluster-peers \
-peers guid1,guid2
splunk list excess-buckets [index]
splunk remove excess-buckets [index]
splunk set indexing-ready
splunk diag --enable=rest
https://yourCM:mgmtport/services/cluster/m
aster/control/control/rebalance_primaries

Perform data rebalancing on the cluster or a
specific index, optionally setting a maximum run
time
splunk rebalance cluster-data \
-action start [-index index] \
[-max_runtime minutes]
splunk rebalance cluster-data \
-action status

splunk rebalance cluster-data \

-action stop
Set the threshold for data rebalancing, where splunk edit cluster-config \
1.0 would be "fully balanced" -rebalance_threshold 0.90

Enable replication of report and data model splunk edit cluster-config \

acceleration summaries on indexers -summary-replication true

Set the detention status of a peer. Options are splunk edit cluster-config \
on: disables indexing & incoming replication
-manual_detention option
on_ports_enabled: disables incoming
replication
off

For indexer discovery, set the site fail-over (site1 splunk edit cluster-config \
-forwarder_site_failover site1:site2
to site2 in the example)

splunk list cluster-config

splunk list cluster-master
Get various information about the indexer splunk list cluster-peers
splunk list master-info
cluster splunk list cluster-buckets
splunk list peer-info
splunk list peer-buckets
CLI commands for search head clustering
Initialize a search head when creating a SH splunk init shcluster-config \
-mgmt_uri https://thisSH:port \
cluster -replication_port port –secret cluster2

Manually assign a captain and set a member list splunk bootstrap shcluster-captain \
–servers_list https://SH2:port, \
(run on the new captain) https://SH3:port,https://SH4:port

Clean the dynamic configuration files for a

splunk clean raft
member (run on the member with problems)

Add this search head to an existing SH cluster splunk add shcluster-member \

-current_member_uri \
(run on the new member) https://existingmember:port
Add a new search head to an existing SH splunk add shcluster-member \
cluster (run from any current member) -new_member_uri https://new_member:port

Configure a SHC member to access the splunk edit shcluster-config \

–conf_deploy_fetch_url \
deployer https://deploy_server:port
Help a SHC member get back in sync splunk resync shcluster-replicated-config

Copyright © 2017 Splunk, Inc. All rights reserved

Show the status of the SH cluster (run on any
splunk show shcluster-status
member)

Show the members of the SH cluster (run on

splunk list shcluster-members
any member)

Restart all members of the SH cluster splunk rolling-restart shcluster-members

Show the status of a rolling restart splunk rolling-restart shcluster-members \

-status 1
In dynamic election mode, transfer captaincy splunk transfer shcluster-captain \
(run on current captain) -mgmt_uri https://newcaptain:port

Designate a captain and turn off dynamic splunk edit shcluster-config \

-election false -mode captain \
election (run on captain) -captain_uri https://captain:port

Designate a captain and turn off dynamic splunk edit shcluster-config \

election (run on members)
Convert SHC members to dynamic election
mode (run on all members, run on static captain
last, then bootstrap)
-election false -mode member \
-captain_uri https://captain:port
splunk edit shcluster-config \
-election true \
-mgmt_uri https://this_member:port

Install app bundles on all SH cluster members splunk apply shcluster-bundle \

(run from deployer) -target https://existingmember:port

Set a label for the SH cluster in the DMC for

reporting; Run this on any member and on the splunk edit shcluster-config \
-shcluster_label label_name
deployer

Permanently disable SH clustering on this

splunk disable shcluster-config
instance

Remove this SH cluster member from the cluster

splunk remove shcluster-member
(run on the member)

From another instance, remove a SH cluster

member (The mgmt_uri is the member to be splunk remove shcluster-member \
-mgmt_uri https://thatSH:port
removed)
splunk list shcluster-config
splunk list shcluster-members
splunk list shcluster-captain-info
Get various information about the SH cluster splunk list shcluster-artifacts
splunk list shcluster-scheduler-jobs
splunk list shcluster-member-info
splunk list shcluster-configuration-set
splunk list shcluster-member-artifacts
Run diag from the SH cluster captain splunk diag

CLI commands for KV Store

Show KV store status splunk show kvstore-status

splunk clean kvstore [ -cluster | -local ]

Copyright © 2017 Splunk, Inc. All rights reserved
 splunk resync kvstore –source GUID
Notes:
In most Linux environments (depending on the PATH), the splunk command must be prefixed with "./"

./splunk start

To make cut-and-paste work better with this document, the Linux line-continuation character “\” has been added at the
end of each line; do not include this character when manually typing the command on a single line!

REST ENDPOINTS
You can use REST endpoints instead of many CLI commands. The purpose of this section is to capture some of the
REST endpoints for which no CLI equivalent exists. Documentation for all endpoints can be found in the Splunk REST
API Reference Manual. [http://docs.splunk.com/Documentation/Splunk/latest/RESTREF]

Endpoints can be accessed via the REST API directly using tools such as curl, or by putting the endpoint into a
browser, like this
https://<host>:<mPort>/services/endpoint
where host is the Splunk host and mPort is the splunkd port (aka management port). Note that you must use https to
access the splunkd port. You will typically need to authenticate with an admin account and password to proceed.

In addition to accessing the REST API directly, you may choose to download a SDK and use a higher-level library in
your code. See http://dev.splunk.com for more details about the REST API and the SDKs, including tutorials and user
guides.

Finally, the REST endpoints can be accessed in Splunk searches using the rest command, as follows
| rest /services/endpoint
For example:
| rest /services/cluster/master/peers

Function Endpoint
Indexer Cluster
Initiate primary rebalancing manually for an cluster/master/control/control/rebalance_primaries
indexer cluster
View the number of primaries on a peer and cluster/master/peers
other settings
Adjust cluster peer detention mode cluster/slave/control/control/set_detention_override
Give information about a specific bucket cluster/master/buckets/bucketid
(bucketid) including whether primary or not,
site, etc.
Re-add the cluster peer (indexer) to the cluster cluster/slave/control/control/re-add-peer
master
Top level endpoint for master to slave cluster/master
communication
Top level endpoint for slave to master cluster/slave
communications
Search Head Cluster
Access configuration replication health statistics replication/configuration/health
for SHC
Info regarding KO replication, including lookups replication/configuration
Lists searchhead cluster artifacts and replicas shcluster/captain/artifacts
(must run on captain)
SHC captain info and control shcluster/captain
SHC member info and control shcluster/member
Copyright © 2017 Splunk, Inc. All rights reserved
 Function Endpoint
General
See the current in-memory configuration (like properties
btool)

Cluster endpoint descriptions:

http://docs.splunk.com/Documentation/Splunk/6.5.1/RESTREF/RESTcluster

btool Supplement
btoool displays merged on-disk configuration values. It is a helpful tool for finding basic configuration problems. (Some
of the btool commands are also listed in the tables above.)

• To quickly check the syntax of all configuration files on an instance:

splunk btool check

• To list the configurations of a single type, use the following form of btool. Substitute the name of the configuration
file (without the .conf extension) for conf_name in the command:
splunk btool conf_name list [ --debug ]

• To see a single stanza, you can include the stanza, for example:
splunk btool inputs list monitor:///var/log

However, the command line must specify the stanza exactly in order to match.
You can also specify the user and app to see the configurations from a user point of view.
If you specify the user, you must also specify the app
splunk btool conf_name list [ -- user=user_name --app=app_name ]

As an alternative to btool, you can see the current in-memory configuration values with
https://host:mPort/services/properties/

where host is the name of the indexer and mport is the management port.

pcregextest
This is a command line tool to test a regular expression. You must give the tool the regular expression to test, and a
test string to test against. For example:

./splunk cmd pcregextest \

mregex='(?<src_ip>\d+(?:\.\d+){3})' test_str="1.1.1.1 2.2.2.2"

Both mregex and test_str are required.

Using the CLI to manage the HTTP Event Collector

http://dev.splunk.com/view/event-collector/SP-CAAAE7D

Copyright © 2017 Splunk, Inc. All rights reserved