We can search in splunk cli search in a similar manner as in splunk web, except the search parameters are passed outside the search object to control the time limit of the search, specify the server where the search is to be run, and specify how results are displayed.

Example of splunk cli search:

search | rtsearch [object][-parameter <value>]

where rtsearch means real time searches.

Search defaults:

The default value for index_earliest, earliest_time latest_time is taken “all time” and maximum number of results is set to 100.We can specify the values as per our requirement.

Search objects(Search query):

There are different way to define search objects or search query in windows and linux:

In Linux it is enclosed in single quotes (‘ ‘).
In windows it is enclosed in double quotes (“ “).

Search parameters:

Search parameters are options that control the way the search is run or the way the search results are displayed. All of these parameters are optional. Parameters that take Boolean values support {0, false, f, no} as negatives and {1, true, t, yes} positives.

Let’s take some examples to understand this better:

Open cli interface and go to splunk bin.

Before starting the query type splunk in windows and ./splunk in linux

Example:

splunk search "index=main source=Superstore.csv|stats count by Region Category"

We can limit the number of results by using maxout parameter

Example for splunk cli search:

splunk search "index=main source=Superstore.csv|stats count by Region Category" -maxout 2

We can see that results are limited to 2 as specified.
Similarly we can specify earliest_time as well.

Example:

splunk search "index=main source=Superstore.csv | stats count by Region Category" -maxout 5 -earliest_time -100d

Real time searches can also be run by specifying rtsearch parameter

Example:

splunk search "index=_internal" -earliest_time rt-30s -latest_time rt+30s

This will run a windowed search and events will be displayed as they arrives.

Looking for more splunk commands ?

If you are still facing issue regarding this Splunk CLI Search Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on social platforms, happy Splunking >.