Splunk Admin – Cheat sheet
The Splunk CLI commands are listed here. Please leave a remark if you would like to add any additional commands or make any changes to the ones that are already mentioned.
Genral Admin
| Manage the Splunk processes | splunk [start | stop | restart | status] |
| Accept the license without prompt | splunk start –-accept-license |
| Enable boot start on Linux with user account | splunk enable boot-start -user <username>[run as root] |
| For help | splunk help |
| Splunk version | splunk version |
| Splunk Web port | splunk show web-port |
| Splunk App Server ports | splunk show appserver-ports |
| Splunk KV store port | splunk show kvstore-port |
| Splunk server name | splunk show servername |
| Default host name | splunk show default-hostname |
| Change a user’s password | splunk edit user name –password newpassword |
| Install an app from the named file on the server | splunk install app appfile |
| Remove an installed app from this server | splunk remove app appfolder |
| List files and directories that Splunk is monitoring | splunk list monitor |
licensing
| On the master license server, add a new license | splunk add licenses /pathtolicensefile |
| On the master license server, list the licenses | splunk list licenses |
| Make this instance a license slave | splunk edit licenser-localpeer -master_uri https://Lic_Master:port |
| List license status of this instance | splunk list licenser-localpeer |
| On the master, List all license slaves | splunk list licenser-peer |
INDEX OPERATIONS
| On the Indexer, Remove all data from an index | splunk clean eventdata [ -index indexName ] |
| Remove the file pointer for a source from the fishbucket | splunk cmd btprobe –d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db –file source –reset |
| Recreate the index files for a bucket | splunk rebuild path_to_bucket |
TROUBLESHOOTING
| Display the merged on-disk configurations | splunk show config conf_name |
| Check or display the configs for a type | splunk btool list conf_name [ –debug ] |
| On an indexer, shows all configured receiving ports | splunk display listen |
| On a forwarder, where it is sending its inputs | splunk list forward-server |
| On the deployment server, list all clients | splunk list deploy-clients |
| Run diag from the cluster manager | splunk diag –enable=rest |
| Run diag from the SH cluster captain | splunk diag |
FORWARDER
| On a forwarder, Forward inputs to the indexer | splunk add forward-server idx:rport |
| On a forwarder, remove a configured target indexer | splunk remove forward-server idx:rport |
| Set the instance to use the deployment server | splunk set deploy-poll ds:port |
| On the deployment server, reexamine deployment apps | splunk reload deploy-server |
INDEXER CLUSTER
| On Cluster manager, Put cluster in maintenance mode | splunk [enable|disable|show] maintenance-mode |
| Validate the bundle in Cluster manager | splunk validate cluster-bundle |
| Show status of bundle deployment (run on master) | splunk show cluster-bundle-status |
| Apply cluster-master apps to all peers (run on master) | splunk apply cluster-bundle |
| Show cluster status (run on master) | splunk show cluster-status |
| Restart all peers from the master | splunk rolling-restart cluster-peers |
| On manager, Remove offline peers entirely from cluster | splunk remove cluster-peers -peers guid1,guid2 |
| On Manager, Allow searching to begin before RF is met | splunk set indexing-ready |
| Make the instance a cluster manager | splunk edit cluster-config -mode manager -replication_factor 2 -search_factor 2 -secret mycluster |
| Make this indexer a cluster peer | splunk edit cluster-config -mode peer -manager_uri https://mgr:port -secret mycluster -replication_port 9000 |
| Give search head the ability to search a cluster | splunk edit cluster-config -mode searchhead -manager_uri https://manager:port -secret mycluster |
| Give SH the ability to search an additional cluster | splunk add cluster-manager -manager_uri https://manager:port -secret cluster2 |
| Make instance a cluster master of a multisite cluster | splunk edit cluster-config -mode manager -multisite true -site site1 -available_sites site1,site2 -site_replication_factor origin:1,total:2 -site_search_factor origin:1,total:2 -secret mycluster |
| Make indexer a cluster peer in a multisite cluster | splunk edit cluster-config -manager_uri https://manager:port -mode slave -site site1 -replication_port 9000 -secret mycluster |
| Give SH the ability to search a multi-site cluster | splunk edit cluster-config -mode searchhead -manager_uri https://manager:port -site site1 -secret mycluster |
| Take peer offline ,enforced counts – offline permanently | splunk offline [–enforce-counts] |
Search Head Cluster
| Show the status of the SH cluster (run on any member) | splunk show shcluster-status |
| Members of the SH cluster (run on any members) | splunk list shcluster-members |
| On a search head, add a distributed search peer | splunk add search-server peer:port -remoteUsername user -remotePassword pass |
| Restart all members of the SH cluster | splunk rolling-restart shcluster-memberssplunk rolling-restart shcluster-members |
| Install app on all SH cluster members (run on deployer) | splunk apply shcluster-bundle |
| Remove SH member from the cluster (run on member) | splunk remove shcluster-member |
| Permanently disable SH clustering on this instance | splunk disable shcluster-config |
| From another instance, remove a SH cluster member | splunk remove shcluster-member -mgmt_uri https://thatSH:port |
| Help a SHC member get back in sync | splunk resync shcluster-replicated-config |
| Initialize a search head when creating a SH cluster | splunk init shcluster-config -mgmt_uri https://thisSH:port -replication_port 9200 –secret cluster2 |
| Assign a captain and set a member list on new captain | splunk bootstrap shcluster-captain –servers_list https://SH2:port,https://SH3:port,https://SH4:port |
| Add this search head to an existing SH cluster | splunk add shcluster-member -current_member_uri https://existingmember:port |
| Add a new search head to an existing SH cluster | splunk add shcluster-member -new_member_uri https://new_member:port |
The Splunk CLI commands are listed here. Please leave a remark if you would like to add any additional commands or make any changes to the ones that are already mentioned. Genral Admin Manage the Splunk processes splunk [start | stop | restart | status] Accept the license without prompt splunk start –-accept-license Enable boot…