splunk rtsearch
-
Search events before they are indexed and preview reports as the events stream in. Use the rtsearch command exactly as you use the traditional search command. For more information, type "help search". For a complete reference on Splunk search, search syntax, and all of the search commands see our online user documentation, starting with: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/AboutCLIsearc hes Syntax: rtsearch [object][-parameter <value>] Note: Parameters that take Boolean values support {0, false, f, no} as negatives and {1, true, t, yes} positives. Objects: Search objects are enclosed in single quotes (' ') and can be keywords, expressions, or a series of search commands. Required Parameters: lastest_time time-modifier relative time modifier for the end time of the search Optional Parameters: app appname specify an app context to run the search batch true indicates how to handle updates in preview mode. Defaults to false. detach true triggers an asynchronous search and displays the job id and ttl for the search. earliest_time time-modifier relative time modifier for the start time of the search header false indicates whether to display a header in the table output mode. id rt_<job id> search job ID number. max_time number the length of time in seconds that a search job runs before it is finalized. Defaults to 0, which means no time limit. maxout number the maximum number of events to return or send to stdout (when exporting events). The max allowable value is 10k. Defaults to 0, which means it will output an unlimited number of events. output value indicates how to display the job. Choices are: rawdata, table, csv, raw, and auto. If not specified, defaults to rawdata for non-transforming searches and table for transforming searches. preview false indicates that reporting searches should be previewed. Defaults to true. timeout number the length of time in seconds that a search job is allowed to live after running. Defaults to 0, which means the job is cancelled immediately after it is run. wrap false indicates whether to line wrap for individual lines that are longer than the terminal width. Defaults to true. See what search language is available for use in the CLI by using these help commands: search-fields a full list of search fields search-modifiers a full list of search modifiers search-commands a full list of usable search commands For more information about how to specify time-modifiers, search the online documentation for "search time modifier". Examples: ./splunk rtsearch 'error' -wrap false ./splunk rtsearch 'eventtype=webaccess error | top clientip' ./splunk rtsearch 'eventtype=webaccess error' -output csv ./splunk rtsearch -id rt_1293485632.11 Type "help [object|topic]" to view help on a specific object or topic. Complete documentation is available online at: http://docs.splunk.com/Documentation
© Lightnetics 2024