splunk-search
Run search and fetch results from Splunk server.
splunk-search [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [SPL]
splunk-search [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] spl=SPL
splunk-search [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] spl=SPL
There are 2 ways to input SPL query for searching Splunk server.
- [ SPL ] - Write SPL query inside square brackets ([]).
- spl=SPL - Put SPL string in spl query option.
- profile=PROFILE
- The identifier of Splunk connect profile
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- [SPL]
- The SPL (Splunk Processing Language) you want to execute must be entered in square brackets.
- spl=SPL
- Put SPL (Splunk Processing Language) string to execute in spl query option.
Usage Examples
splunk-search [ | rest /services/apps ]splunk-search spl="| rest /services/apps"set path="services" | set query=concat("| rest /", $("path"), "/apps") | splunk-search spl=$("query")
Output Fields
Output fields are determined by search query string.