topic Re: "ERROR" Search Factory: Unknown search command '1'. in Splunk Search

"ERROR" Search Factory: Unknown search command '1'.

jenniferhao — Mon, 11 Dec 2017 21:20:27 GMT

when I ran a script to access Splunk API , and got this error:
Search Factory: Unknown search command '1'.

could you please help on this?

Re: "ERROR" Search Factory: Unknown search command '1'.

micahkemp — Mon, 11 Dec 2017 23:39:36 GMT

Remember that the UI will append the inferred search command, but the API will not. This means that a search string passed to the API needs to either start with the search command or | to use a generating command.

See the Python Example for sample code that handles this.

If you believe this isn't the issue please paste the search query you are passing to the API for further comment.

Re: "ERROR" Search Factory: Unknown search command '1'.

jenniferhao — Tue, 12 Dec 2017 17:31:22 GMT

my query likes "search='search index=xxxxx.....'". Do you have any document that mentioned SPLUNK API NOT supporting special characters?

Re: "ERROR" Search Factory: Unknown search command '1'.

jenniferhao — Tue, 12 Dec 2017 17:34:01 GMT

it sounds the API is not supporting "fillnull value=NULL". I debug line be line and stuck on this line. Any solution?

Re: "ERROR" Search Factory: Unknown search command '1'.

damien_chillet — Tue, 12 Dec 2017 17:40:42 GMT

Hi jennifer, it would be helpful if you could share the sample of the code you use to post the search.

If you are building the POST data yourself, there should not be quotes inside your search parameter, for example:

search=search+index%3D_internal

(The equal is url encoded)

Re: "ERROR" Search Factory: Unknown search command '1'.

jenniferhao — Tue, 12 Dec 2017 17:52:42 GMT

After I removed the fillnull then the query works with API. Do you know the API support fillnull or not?

Re: "ERROR" Search Factory: Unknown search command '1'.

damien_chillet — Wed, 13 Dec 2017 09:55:52 GMT

There is no reason for the API not to support the fillnull command.
I managed to get it working using the following as an example:

search=search+index%3D_internal+component%3D%2A+%7C+stats+sum%28cpu_seconds%29+by+component+%7C+fillnull+value%3DNULL

Please share you full query for further debugging, you can mask anything sensitive if needed.

Re: "ERROR" Search Factory: Unknown search command '1'.

jenniferhao — Wed, 13 Dec 2017 19:30:49 GMT

here is my query:
myquery='search index=anyindex sourcetype=anysourcetype earliest=-7d |fields * | fillnull'

mystr="curl -k -u username:password https://splkurl//services/search/jobs/export --data-urlencode search=${myquery} -d output_mode=csv -o res.csv"

If successfully got the data, then I can cat res.csv; otherwise the file will be not generated. ,my scripts likes:

Please use the following script.

!/bin/bash

myquery='search index=anyindex sourcetype=anysourcetype earliest=-7d |fields * | fillnull'

mystr="curl -k -u username:password https://splkurl//services/search/jobs/export --data-urlencode search=${myquery} -d output_mode=csv -o res.csv"

Re: "ERROR" Search Factory: Unknown search command '1'.

damien_chillet — Fri, 15 Dec 2017 23:32:55 GMT

Managed to get results using the following script:

#!/bin/bash
myquery='search index=_internal component=* earliest=-7d | stats sum(cpu_seconds) by component | fields * | fillnull'

curl -k -u user:pass  https://localhost:8089/services/search/jobs/export --data-urlencode "search=${myquery}" -d output_mode=csv -o res.csv