Splunk Processing Language (SPL) serves as the backbone for searching and analyzing machine data within the Splunk platform. This powerful query language enables analysts to extract meaningful insights from massive volumes of log data. Organizations rely on SPL to monitor applications, detect security threats, and troubleshoot system issues in real time.
The addinfo command enriches your search results by appending metadata about the search itself. If you were investigating a security incident and need to document exactly when your analysis occurred and what time range was examined. The addinfo command automatically captures this information, making your investigation auditable and reproducible.
Understanding the addinfo Command
The addinfo command operates by injecting several specialized fields into each event in your search results. These fields contain information about the search execution itself rather than the data being searched. Think of it as adding a metadata layer that describes the context of your analysis.
When you run a search with addinfo, Splunk automatically creates fields such as info_min_time and info_max_time. These fields represent the earliest and latest times in your search window. It also adds info_search_time, which captures the exact moment when the search began executing. The info_sid field provides a unique identifier for each search, enabling you to reference specific queries later.
This metadata becomes part of each result row. You can use these fields in subsequent SPL commands just like any other field. This takes the hassle out of manually calculating time ranges or tracking search IDs.
Benefits of the addinfo Command
1. Improved Search Auditability & Documentation
The addinfo command automatically records when searches execute and what time ranges are covered. This creates a built-in audit trail for compliance and investigation purposes. Teams can easily reconstruct past analyses by referencing the search metadata, which proves essential during incident reviews or regulatory audits.
2. Enhanced Scheduled Search Reliability
Scheduled searches benefit significantly from addinfo because you can verify the exact time windows each search execution covers. This helps identify gaps in coverage or overlapping time ranges. As a result, administrators can troubleshoot scheduling issues more effectively and ensure continuous monitoring without blind spots.
3. Better Dashboard Context & Troubleshooting
Dashboards that incorporate addinfo fields provide users with clear context about when data was last refreshed. Users can see the search time range directly within their visualizations. Consequently, this transparency reduces confusion and helps teams trust the data they’re viewing, especially during critical operational situations.
Basic Syntax
The syntax for addinfo follows a straightforward pattern. You simply append the command to your search pipeline without any required arguments. So an example of it would look like this:
index=main sourcetype=access_combined | addinfo
You can place addinfo anywhere in your search pipeline, though it will often be used after your initial search criteria and before analysis commands.
Usage Examples & Practical Applications
Example #1: Security Incident Documentation with Authentication Data
Security analysts frequently need to document the exact scope of their investigations. When examining failed authentication attempts, knowing precisely when you ran your analysis and what time window you covered becomes critical for reporting.
Consider a scenario where you’re investigating potential brute force attacks. By using the Common Information Model’s Authentication data model, you can track failed login attempts while documenting your search parameters. The following SPL accomplishes this:
| datamodel Authentication Authentication search
| search Authentication.action=failure
| addinfo
| eval search_window_hours=round((info_max_time-info_min_time)/3600,2)
| eval analyzed_at=strftime(info_search_time,"%Y-%m-%d %H:%M:%S"), info_min_time=strftime(info_min_time,"%Y-%m-%d %H:%M:%S"), info_max_time=strftime(info_max_time,"%Y-%m-%d %H:%M:%S")
| stats count by Authentication.user, Authentication.src, info_min_time, info_max_time, search_window_hours, analyzed_at
This search queries authentication failures from the CIM data model. It adds search metadata and calculates the time window examined. The results include clear documentation of when the analysis occurred and what period it covered, which satisfies audit requirements.
Example #2: Performance Monitoring with Network Traffic
Network operations teams need to monitor bandwidth utilization trends over time. However, they also need to know whether their monitoring searches are running on schedule and covering the correct time periods. The addinfo command provides this verification layer.
Using the Network Traffic data model from CIM, you can create a monitoring search that tracks its own execution. Here’s an example:
| datamodel Network_Traffic All_Traffic search
| addinfo
| stats sum(All_Traffic.bytes) as total_bytes by All_Traffic.src, All_Traffic.dest, info_sid, info_search_time
| eval bytes_mb=round(total_bytes/1024/1024,2)
| eval search_timestamp=strftime(info_search_time,"%Y-%m-%d %H:%M:%S")
| table search_timestamp, All_Traffic.src, All_Traffic.dest, bytes_mb, info_sid
This search aggregates network traffic by source, destination, when the search ran, then assigns a unique identifier. Operations teams can then verify that scheduled searches execute properly and investigate any anomalies in search timing.
Conclusion
The addinfo command represents a small but powerful addition to your Splunk searches. By automatically capturing search metadata, it transforms ordinary queries into self-documenting analyses that support compliance, troubleshooting, and operational excellence. Throughout this post, we’ve explored how this command enriches your data with contextual information that proves invaluable in real-world scenarios.
Integrating addinfo into your daily Splunk activities requires minimal effort but delivers substantial benefits. Whether you’re conducting security investigations, monitoring system performance, or managing compliance requirements, this command provides the metadata layer that makes your work auditable and reproducible. As you develop more sophisticated searches and dashboards, the value of this metadata grows exponentially.
To access more Splunk searches, check out Atlas Search Library, which is part of the Atlas Platform. Specifically, Atlas Search Library offers a curated list of optimized searches. These searches empower Splunk users without requiring SPL knowledge. Furthermore, you can create, customize, and maintain your own search library. By doing so, you ensure your users get the most from using Splunk.
