← Back to Home

Splunk CLI Cheat Sheet

Essential Splunk command-line interface commands

splunk start
Start Splunk services. Starts splunkd daemon and splunkweb interface. Use --accept-license to skip license prompt.

splunk start --accept-license

Keywords: start, service, daemon, web, license

splunk stop
Stop all Splunk services gracefully. Stops both splunkd and splunkweb processes.

splunk stop

Keywords: stop, shutdown, service

splunk restart
Restart Splunk services. Equivalent to stop followed by start. Useful after configuration changes.

splunk restart

Keywords: restart, reload, configuration

splunk status
Check status of Splunk processes. Shows if splunkd and splunkweb are running.

splunk status

Keywords: status, check, running, health

splunk add index
Create a new index for data storage. Specify index name and optional parameters like maxDataSize.

splunk add index myindex -maxDataSize 1000

Keywords: index, create, storage, data

splunk list index
List all configured indexes. Shows index names, paths, and basic configuration.

splunk list index

Keywords: list, index, show, configuration

splunk add monitor
Monitor a file or directory for new data. Automatically indexes new content as it's written.

splunk add monitor /var/log/apache2/ -index web_logs

Keywords: monitor, file, directory, watch, tail

splunk list monitor
List all monitored inputs. Shows files and directories being watched for changes.

splunk list monitor

Keywords: list, monitor, inputs, watched

splunk add forward-server
Configure forwarding to another Splunk instance. Set up universal forwarder or heavy forwarder.

splunk add forward-server 192.168.1.100:9997

Keywords: forward, server, forwarder, remote

splunk search
Execute search from command line. Use quotes for complex searches, specify time range with earliest/latest.

splunk search 'index=main error' -earliest -1h

Keywords: search, query, command, time

splunk export
Export search results to file. Supports various formats like CSV, JSON, XML.

splunk export 'index=main' -output csv -filename results.csv

Keywords: export, results, csv, json, file

splunk btool
Configuration file validation and troubleshooting tool. Check syntax and view effective configuration.

splunk btool inputs list --debug

Keywords: btool, configuration, debug, validate

splunk clean eventdata
Remove all indexed data from specified index. Use with caution as this is irreversible.

splunk clean eventdata -index test_index

Keywords: clean, delete, data, remove, index

splunk enable boot-start
Configure Splunk to start automatically at system boot. Sets up system service.

splunk enable boot-start -user splunk

Keywords: boot, startup, service, automatic

splunk show config
Display current configuration settings. Shows effective configuration from all .conf files.

splunk show config inputs

Keywords: config, configuration, show, settings

splunk add user
Create new user account with specified roles and capabilities.

splunk add user john -password changeme -role user

Keywords: user, create, account, role, security

splunk edit user
Modify existing user properties like password, roles, or email.

splunk edit user john -password newpass -email john@company.com

Keywords: user, edit, modify, password, email

splunk remove user
Delete user account from Splunk system.

splunk remove user john

Keywords: user, remove, delete, account

splunk add role
Create custom role with specific capabilities and index access.

splunk add role analyst -capability search -srchIndexesAllowed main,security

Keywords: role, create, capability, access, security

splunk reload deploy-server
Reload deployment server configuration to push updates to clients.

splunk reload deploy-server

Keywords: deploy, server, reload, configuration, clients

splunk display app
Show information about installed apps and their status.

splunk display app -name search

Keywords: app, display, information, status

splunk install app
Install Splunk app from file or Splunkbase.

splunk install app /path/to/app.tar.gz -update 1

Keywords: install, app, splunkbase, update

splunk remove app
Uninstall Splunk app and remove its files.

splunk remove app myapp

Keywords: remove, app, uninstall, delete

splunk validate
Validate configuration files for syntax errors.

splunk validate inputs

Keywords: validate, configuration, syntax, errors

splunk diag
Generate diagnostic bundle for troubleshooting support cases.

splunk diag --collect=etc,log --days=7

Keywords: diag, diagnostic, troubleshoot, support

splunk migrate
Migrate configuration and data between Splunk versions.

splunk migrate input-csv /path/to/migration.csv

Keywords: migrate, upgrade, configuration, data