topic How to "pipe" output to another search command from the Splunk CLI in Windows? in Splunk Search

How to "pipe" output to another search command from the Splunk CLI in Windows?

williamche — Thu, 07 Oct 2010 22:43:56 GMT

I'm trying to execute some queries from the Command Line on a Windows Splunk server. As long as I don't use the "pipe" symbol to perform additional filters, the results come back fine. If I tried to "pipe" the results to the "head" command, for example, in the following query:

E:\Apps\Splunk\bin>splunk search 'sourcetype=syslog | head 5 | table host index _time'

Windows would return the following error:

'head' is not recognized as an internal or external command, operable program or batch file.

This error occurs for all command I want to pipe the results to, not just the "head" command. The same command line query works perfectly in the Linux version of Splunk.

The CLI examples given in the documenataion and from the "splunk help search" command does not reference piping results to additional commands. Does anyone know the proper way to format a CLI query with pipes in the Windows version of Splunk?

Thanks.

Re: How to "pipe" output to another search command from the Splunk CLI in Windows?

williamche — Thu, 07 Oct 2010 22:45:50 GMT

I feel like cheating by answering my own question, but the proper way to format a CLI query in Windows Splunk is to wrap the query in double-quotes.

So instead of:

E:\Apps\Splunk\bin>splunk search 'sourcetype=syslog | head 5 | table host index _time'

It should be:

E:\Apps\Splunk\bin>splunk search "sourcetype=syslog | head 5 | table host index _time"

In Linux its still single quotes.

Re: How to "pipe" output to another search command from the Splunk CLI in Windows?

Lowell — Fri, 08 Oct 2010 00:51:55 GMT

Just wanted to point out that the question is less to do with Linux vs Windows, and more to do with BASH (or whatever shell you're using) vs the windows shell (cmd.exe). For example, on Linux you could to use a different shell and it could behave differently; but I would expect that most shell should work fine with single quotes or double quotes. On Windows you have less choices out of the box, but you can install and use bash (with cygwin, or something similar) if you wanted to.

Re: How to "pipe" output to another search command from the Splunk CLI in Windows?

Lowell — Fri, 08 Oct 2010 00:53:49 GMT

BTW, It's perfectly acceptable to answer your own question, but you may have to wait a few days before you can "accept" your own answer. Which you should do.

Re: How to "pipe" output to another search command from the Splunk CLI in Windows?

jevenson — Tue, 08 Jan 2013 16:49:01 GMT

I know this is old, but I thought I'd add that in Powershell, you still use the single quote, not double.