CLI tool for Splunk Enterprise SIEM operations.
Query, inspect, and manage a remote Splunk Enterprise instance from your laptop. Built on the splunk-sdk-python fork with Click.
pip install splunkctl
pip install git+https://github.com/dannyota/splunk-sdk-python@splunkctlRequires Python 3.13+. The second line installs the forked SDK which adds dashboard, lookup, and HEC token support. Without it, core commands (search, rules, alerts, indexes, inputs, apps, users) still work.
git clone https://github.com/dannyota/splunkctl
cd splunkctl
pip install -e .
splunkctl --versionsplunkctl config init # interactive setup
splunkctl doctor # check connection, auth, permissions
splunkctl search run 'index=main | head 10' # run a search
splunkctl rules list # list detection rules| Group | Description |
|---|---|
doctor |
Connection, auth, health, and permissions check |
config |
Setup, show config, test connectivity |
info |
Server info (version, OS, license) |
search |
Run, export, oneshot, upload, job management |
rules |
Detection rules — CRUD, import/export (YAML) |
alerts |
Fired alerts, alert actions, suppression |
dashboards |
Dashboard CRUD (XML) |
indexes |
Index management |
inputs |
Data inputs (monitor, tcp, udp, script, http) |
lookups |
Lookup table CRUD (CSV, mmdb) |
hec |
HEC token management |
parsers |
Source types and field extractions |
apps |
App install (.spl/.tar.gz), uninstall, update |
users |
User and role management |
commands |
Machine-readable command tree (JSON) |
skill |
Embedded agent operating guide |
Export existing rules to YAML, version control them, deploy across instances:
splunkctl rules export --path detections.yml
splunkctl rules import --path detections.yml # dry-run preview
splunkctl --yes rules import --path detections.yml # applyUpload files from your laptop without SSH access to the server:
# Upload threat intel, logs, or sample data for indexing
splunkctl --yes search upload --path threats.csv --index threat_intel --sourcetype csv
# Upload lookup tables (CSV or GeoIP mmdb)
splunkctl --yes lookups upload --name threats.csv --path threats.csv
# Install apps from local .spl/.tar.gz packages
splunkctl --yes apps install --path TA_windows.splsplunkctl doctor # check everything: connection, auth, health, permissions
splunkctl doctor --json # machine-readable output--json Force JSON output
--format FMT Output format: table, json, csv, jsonl
--fields f1,f2 Project specific fields
--out FILE Write output to file
--yes / -y Apply mutations (skip dry-run preview)
--timeout N Request timeout in seconds (default 30)
--config FILE Config file path
--debug HTTP request/response logging
All write operations preview what would change. Pass --yes to apply.
splunkctl rules delete 'My Rule' # shows preview only
splunkctl rules delete 'My Rule' --yes # actually deletessplunkctl rules list # table (TTY) or JSON (pipe)
splunkctl rules list --json # force JSON
splunkctl rules list --format csv # CSV
splunkctl rules list --fields name,cron # project fields
splunkctl rules list --out rules.json # write to filesplunkctl depends on a fork of splunk-sdk-python that adds entity classes missing from the upstream SDK:
| Entity | Service property | Purpose |
|---|---|---|
Dashboard |
service.dashboards |
Dashboard CRUD |
LookupTableFile |
service.lookup_table_files |
Lookup table metadata + download |
HECToken |
service.hec_tokens |
HEC token management |
Install the fork directly:
pip install git+https://github.com/dannyota/splunk-sdk-python@splunkctlsplunkctl ships with an embedded operating guide for AI agents (Claude Code, etc.):
splunkctl skill # print the guide
splunkctl skill install # install to ~/.claude/skills/
splunkctl commands # JSON command tree for discoveryApache-2.0