https://community.splunk.com/t5/Getting-Data-In/Splunk-Rest-API-Curl-Failing-with-Unbalanced-Quotes/m-p/680639#M113709 <P>This is working when we query directly from Splunk Search..&nbsp;</P> <LI-CODE lang="markup">| stats count as field1 | eval field1="dallvcflwb110u,yes;dallvcflwb120u,yes" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 "(?&lt;host&gt;.*),(?&lt;mode&gt;.*)" | table host mode | outputlookup atlassian_maintenance.csv</LI-CODE> <P>&nbsp;</P> <P>But when we try hitting using curl and its failing .&nbsp;</P> <LI-CODE lang="markup">curl -k -u admin:Vzadmin@12 https://dallpsplsh01sp.tpd-soe.net:8089/servicesNS/admin/SRE/search/jobs/export -d search="| stats count as field1 | eval field1="dallvcflwb110u,yes;dallvcflwb120u,yes" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 "(?&lt;host&gt;.*),(?&lt;mode&gt;.*)" | table host mode | outputlookup atlassian_maintenance.csv"</LI-CODE> <P>&nbsp;</P> <P>-bash: syntax error near unexpected token `?'</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 14 Mar 2024 10:57:34 GMT Maries 2024-03-14T10:57:34Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Rest-API-Curl-Failing-with-Unbalanced-Quotes/m-p/680630#M113707 <P>Hi,</P><P>&nbsp;</P><P>I'm trying to write data to outputlookup file by doing a REST API Call (by running a search query).</P><P>The below command works and writes data to outputlookup csv file when running the search directly from Splunk.</P><P><STRONG>| stats count as field1 | eval field1="host_abc;host_def" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 "(?&lt;host&gt;.*)" | table host | outputlookup test_maintenance.csv</STRONG></P><P>But this is not working when executing the above search using REST API.</P><P><STRONG>Getting the below error "Unbalanced quotes" when running the below command</STRONG></P><P>curl -k -u admin:admin <A href="https://splunksearchnode:8089/servicesNS/admin/search/jobs/export" target="_blank" rel="noopener">https://splunksearchnode:8089/servicesNS/admin/search/jobs/export</A> -d search="| stats count as field1 | eval field1=\"host_abc;host_def\" | eval field1=split(field1,\";\") | mvexpand field1 | rex field=field1 \"(?&lt;host&gt;.*)\" | table host | outputlookup test_maintenance.csv"</P><P><STRONG>Getting the below error&nbsp; when running the below command</STRONG></P><P><STRONG>Error :&nbsp;Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at '\'host_abc'.&lt;/msg&gt;&lt;/messages&gt;&lt;/response&gt;</STRONG></P><P>curl -k -u admin:admin <A href="https://splunksearchnode:8089/servicesNS/admin/search/jobs/export" target="_blank" rel="noopener">https://splunksearchnode:8089/servicesNS/admin/search/jobs/export</A> -d search='| stats count as field1 | eval field1=\"host_abc;host_def\" | eval field1=split(field1,\";\") | mvexpand field1 | rex field=field1 \"(?&lt;host&gt;.*)\" | table host | outputlookup test_maintenance.csv'</P><P>Appreciate your help.</P><P>&nbsp;</P><P>Thank you</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Mar 2024 04:02:15 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Rest-API-Curl-Failing-with-Unbalanced-Quotes/m-p/680630#M113707 Maries 2024-03-14T04:02:15Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Rest-API-Curl-Failing-with-Unbalanced-Quotes/m-p/680635#M113708 <P>Hi,</P><P>can you please remove the "\" and give a try</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Karthi_0-1710396893621.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29742iDE18B30A28056DD0/image-size/medium?v=v2&amp;px=400" role="button" title="Karthi_0-1710396893621.png" alt="Karthi_0-1710396893621.png" /></span></P><P>&nbsp;</P> Thu, 14 Mar 2024 06:15:25 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Rest-API-Curl-Failing-with-Unbalanced-Quotes/m-p/680635#M113708 Karthi 2024-03-14T06:15:25Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Rest-API-Curl-Failing-with-Unbalanced-Quotes/m-p/680639#M113709 <P>This is working when we query directly from Splunk Search..&nbsp;</P> <LI-CODE lang="markup">| stats count as field1 | eval field1="dallvcflwb110u,yes;dallvcflwb120u,yes" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 "(?&lt;host&gt;.*),(?&lt;mode&gt;.*)" | table host mode | outputlookup atlassian_maintenance.csv</LI-CODE> <P>&nbsp;</P> <P>But when we try hitting using curl and its failing .&nbsp;</P> <LI-CODE lang="markup">curl -k -u admin:Vzadmin@12 https://dallpsplsh01sp.tpd-soe.net:8089/servicesNS/admin/SRE/search/jobs/export -d search="| stats count as field1 | eval field1="dallvcflwb110u,yes;dallvcflwb120u,yes" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 "(?&lt;host&gt;.*),(?&lt;mode&gt;.*)" | table host mode | outputlookup atlassian_maintenance.csv"</LI-CODE> <P>&nbsp;</P> <P>-bash: syntax error near unexpected token `?'</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 14 Mar 2024 10:57:34 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Rest-API-Curl-Failing-with-Unbalanced-Quotes/m-p/680639#M113709 Maries 2024-03-14T10:57:34Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Rest-API-Curl-Failing-with-Unbalanced-Quotes/m-p/680645#M113710 <P>Hi</P><P>please don't add your admin user + it's pass to any posts. Or actually write those on cmd as those are stored into history files and/or are seen on process list! Much better way is to read those into variable and then use that on queries. You could do it like</P><P>&nbsp;</P><LI-CODE lang="markup">read USERPASS admin:&lt;your pass here&gt; ^D curl -ku $USERPASS .....</LI-CODE><P>&nbsp;</P><P>Also don't add your real node name into examples!</P><P>As you are in linux/*nix you could replace those outer " with ' and then it should work. Then you are not needs \" inside your SPL.</P><LI-CODE lang="markup">curl -ku $USERPASS https://&lt;your splunk SH&gt;:&lt;mgmt port&gt;/servicesNS/admin/SRE/search/jobs/export -d search='| stats count as field1 | eval field1="dallvcflwb110u,yes;dallvcflwb120u,yes" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 "(?&lt;host&gt;.*),(?&lt;mode&gt;.*)" | table host mode | outputlookup atlassian_maintenance.csv'</LI-CODE><P>In windows this didn't work ;-(</P><P>r. Ismo&nbsp;</P> Thu, 14 Mar 2024 07:41:55 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Rest-API-Curl-Failing-with-Unbalanced-Quotes/m-p/680645#M113710 isoutamo 2024-03-14T07:41:55Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Rest-API-Curl-Failing-with-Unbalanced-Quotes/m-p/680648#M113712 <P>Hi Maries,</P> <P>Please try with the below search</P> <LI-CODE lang="markup">&lt;your curl command&gt; -d search= "search index=&lt;indexname&gt; | stats count as field1 | eval field1="dallvcflwb110u,yes;dallvcflwb120u,yes" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 \"(?&lt;host&gt;.*),(?&lt;mode&gt;.*)\" | table host mode | outputlookup atlassian_maintenance.csv"</LI-CODE> Thu, 14 Mar 2024 10:58:30 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Rest-API-Curl-Failing-with-Unbalanced-Quotes/m-p/680648#M113712 kartm2020 2024-03-14T10:58:30Z