https://community.splunk.com/t5/Splunk-Search/Query-doesn-t-work-under-CURL-call-but-is-fine-under-user/m-p/353816#M104726 <P>It might help to post the real query, because so far there are only snippets of it. Also it would be good to tell what did not work with the <CODE>--data-urlencode</CODE>.</P> Thu, 15 Mar 2018 00:23:48 GMT MuS 2018-03-15T00:23:48Z https://community.splunk.com/t5/Splunk-Search/Query-doesn-t-work-under-CURL-call-but-is-fine-under-user/m-p/353812#M104722 <P>Hi; I have a query that ends as follows</P> <PRE><CODE>| stats count(eval(HttpStatus LIKE "2__")) AS success count(eval(HttpStatus LIKE "5__")) AS fail count as total by host </CODE></PRE> <P>And under the Splunk UI environment I get my results as desired.<BR /> But the issue I see is when I use the exact same query under the Splunk CLI/CURL call to the service, i get the following response</P> <PRE><CODE>{'messages': [{'type': 'FATAL', 'text': "Error in 'stats' command: The eval expression for dynamic field 'eval(HttpStatus LIKE 2__)' is invalid. Error='The operator at '__' is invalid.'"}]} </CODE></PRE> <P>I've tried different variations of encapsulating the "httpstatus" field but non of them were successful (tried escaping characters also)</P> <P>Please advise in solving this issue<BR /> Much appreciated</P> <UL> <LI>Randy</LI> </UL> Wed, 14 Mar 2018 22:30:31 GMT https://community.splunk.com/t5/Splunk-Search/Query-doesn-t-work-under-CURL-call-but-is-fine-under-user/m-p/353812#M104722 h0riz0nhk 2018-03-14T22:30:31Z https://community.splunk.com/t5/Splunk-Search/Query-doesn-t-work-under-CURL-call-but-is-fine-under-user/m-p/353813#M104723 <P>Hi h0riz0nhk,</P> <P>this works just fine for me:</P> <PRE><CODE>curl -k -u user:password <A href="https://hostname:8089/services/search/jobs/export" target="test_blank">https://hostname:8089/services/search/jobs/export</A> --data-urlencode 'search=search index="_internal" | stats count(eval(sourcetype LIKE "splunk%")) AS st_splunk count AS total by host ' -d output_mode=csv </CODE></PRE> <P>and the result is this:</P> <PRE><CODE>host,"st_splunk",total hostname,308212,310456 </CODE></PRE> <P>the important thing here is to use <CODE>--data-urlencode</CODE> otherwise it will fail because of the <CODE>"</CODE>.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Wed, 14 Mar 2018 23:00:21 GMT https://community.splunk.com/t5/Splunk-Search/Query-doesn-t-work-under-CURL-call-but-is-fine-under-user/m-p/353813#M104723 MuS 2018-03-14T23:00:21Z https://community.splunk.com/t5/Splunk-Search/Query-doesn-t-work-under-CURL-call-but-is-fine-under-user/m-p/353814#M104724 <P>Sadly the <CODE>--data-urlencode</CODE> didn't work for me, but finally found a solution</P> <P>Essentially i had a query builder and had to encapsulate the <CODE>search=\'' + search query +'\'</CODE> correctly<BR /> (was being lazy with <CODE>search="' + search query +'"</CODE>)</P> Wed, 14 Mar 2018 23:59:23 GMT https://community.splunk.com/t5/Splunk-Search/Query-doesn-t-work-under-CURL-call-but-is-fine-under-user/m-p/353814#M104724 h0riz0nhk 2018-03-14T23:59:23Z https://community.splunk.com/t5/Splunk-Search/Query-doesn-t-work-under-CURL-call-but-is-fine-under-user/m-p/353815#M104725 <P>Fixed by changing the encapsulate part of my function to not be lazy<BR /> <CODE>search="' + search_query + '"</CODE><BR /> to<BR /> <CODE>search=\'' + search_query + '\'</CODE></P> Thu, 15 Mar 2018 00:01:08 GMT https://community.splunk.com/t5/Splunk-Search/Query-doesn-t-work-under-CURL-call-but-is-fine-under-user/m-p/353815#M104725 h0riz0nhk 2018-03-15T00:01:08Z https://community.splunk.com/t5/Splunk-Search/Query-doesn-t-work-under-CURL-call-but-is-fine-under-user/m-p/353816#M104726 <P>It might help to post the real query, because so far there are only snippets of it. Also it would be good to tell what did not work with the <CODE>--data-urlencode</CODE>.</P> Thu, 15 Mar 2018 00:23:48 GMT https://community.splunk.com/t5/Splunk-Search/Query-doesn-t-work-under-CURL-call-but-is-fine-under-user/m-p/353816#M104726 MuS 2018-03-15T00:23:48Z