topic Re: CLI Search Command: Why does search that includes a field name fail? in Splunk Search

CLI Search Command: Why does search that includes a field name fail?

williamcharlton — Mon, 07 Oct 2019 15:09:08 GMT

This cli search command works from a machine with a universal forwarder:

splunk search "index="foo" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

Output in cmd window:

INFO: Your timerange was substituted based on your search string

bar        first(SensorDateTime)
---------- ------------------------------------
C:\x\A.txt 10/2/2019 9:59:11 PM
C:\x\B.txt 10/2/2019 9:59:11 PM
C:\x\C.txt 10/2/2019 9:59:11 PM
C:\x\D.txt 10/2/2019 9:59:11 PM
C:\x\E.txt 10/2/2019 9:59:11 PM
C:\x\F.txt 10/2/2019 9:59:11 PM
C:\x\G.txt 10/2/2019 9:59:11 PM
C:\x\H.txt 10/2/2019 9:59:11 PM
C:\x\I.txt 10/2/2019 9:59:11 PM
C:\x\J.txt 10/2/2019 9:59:11 PM
C:\y\A.txt 9/30/2019 9:53:20 PM
C:\y\B.txt 9/30/2019 9:53:20 PM
C:\y\C.txt 9/30/2019 9:53:20 PM
C:\y\D.txt 9/30/2019 9:53:20 PM
C:\y\E.txt 9/30/2019 9:53:20 PM
C:\y\F.txt 9/30/2019 9:53:20 PM
C:\y\G.txt 9/30/2019 9:53:20 PM
C:\y\H.txt 9/30/2019 9:53:20 PM
C:\y\I.txt 9/30/2019 9:53:20 PM
C:\y\J.txt 9/30/2019 9:53:20 PM

But, when I do this:

splunk search "index="foo" bar="C:\x\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

splunk search "index="foo" bar="C:\\x\\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

I get nothing back. I expect to get back one event:

 bar        first(SensorDateTime)
 ---------- -------------------------------------
 C:\x\A.txt 10/2/2019 9:59:11 PM

Why can't I include bar="C:\x\A.txt" in my search and get results?

p.s. This search works fine when I execute it from the indexer or search head web page:

Re: CLI Search Command: Why does search that includes a field name fail?

ololdach — Mon, 07 Oct 2019 16:25:03 GMT

Try single quotes around your search: splunk search 'index="foo" bar="C:\x\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar' -preview false -uri https://indexer:8089

Re: CLI Search Command: Why does search that includes a field name fail?

williamcharlton — Mon, 07 Oct 2019 17:25:17 GMT

tried it - batch file crashed:

'stats' is not recognized as an internal or external command, operable program or batch file.

I'm pretty sure apostrophes (single quotes) are ignored by cmd.exe

Can't find a Microsoft source, but:

What does single quote do in windows batch files?

https://stackoverflow.com/questions/24173825/what-does-single-quote-do-in-windows-batch-files

Single quotes are not used at all by
the cmd.exe command processor except
to enclose the command to run within a
FOR /F statement:

Re: CLI Search Command: Why does search that includes a field name fail?

williamcharlton — Mon, 07 Oct 2019 17:34:34 GMT

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

Re: CLI Search Command: Why does search that includes a field name fail?

williamcharlton — Mon, 07 Oct 2019 17:34:49 GMT

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

Re: CLI Search Command: Why does search that includes a field name fail?

ololdach — Wed, 09 Oct 2019 09:53:37 GMT

Sorry, my mistake. Windows is special, I assumes Linux/Mac and only tested on those.

Re: CLI Search Command: Why does search that includes a field name fail?

williamcharlton — Fri, 25 Oct 2019 16:45:47 GMT

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy