Splank
CLI tool for querying Splunk logs.
Install
uv tool install splankSetup
splank initThis creates ~/.config/splank/credentials.toml with your Splunk credentials.
Configuration
The credentials file supports multiple profiles:
default_profile = "prod"
[profiles.prod]
host = "splunk.example.com"
port = 8089
token = "your-token-here"
verify_ssl = true
[profiles.qa]
host = "splunk-qa.example.com"
port = 8089
username = "admin"
password = "changeme"
verify_ssl = trueUsage
# Search (uses default profile)
splank search 'index=main Level=ERROR' -m 10
# Search using specific profile
splank -p qa search 'index=main Level=ERROR'
# Discover indexes
splank discover 'web*'
# Discover with field info
splank discover 'app-*' --fields -o DISCOVERY.md
# Manage jobs
splank jobs
splank clearCommands
init- Create credentials filesearch- Execute SPL querydiscover- Discover available indexesjobs- List search jobsclear- Clear my search jobs
Search Options
splank search 'index=main Level=ERROR' [options]| Option | Description |
|---|---|
-e, --earliest |
Earliest time (default: -24h) |
-l, --latest |
Latest time (default: now) |
-m, --max-results |
Max results (default: 100) |
-f, --format |
Output format: json, csv, table, toon (default: toon) |
-o, --output |
Output file (default: stdout) |
--internal |
Include internal Splunk fields (_bkt, _cd, etc.) |
-w, --width |
Truncate field values to N chars (default: 500, 0=no limit) |
-z, --zoom |
Parse JSON from _raw and output as toon |
By default, internal Splunk fields (_bkt, _cd, _indextime, _serial, _si, _sourcetype, _subsecond) are hidden. Use --internal to show them.
The --zoom flag is useful when log lines contain JSON - it extracts and parses the JSON from _raw, outputs as toon format (compact and human-readable), and ignores Splunk metadata.
Global Options
-p, --profile- Splunk profile to use (e.g., 'qa', 'prod')-V, --version- Show version
On this page
Contributors
Created January 12, 2026
Updated March 20, 2026