topic Re: Adding fields to the output of a CLI search in Splunk Search

Adding fields to the output of a CLI search

dmalcor — Tue, 04 Mar 2014 17:40:43 GMT

In the GUI I get results plus the fields: host, source, and sourcetype
Same search in the CLI I just get results, no fields (even when I ask for "fields":

# splunk search "reboot | fields + source, sourcetype, host"

I'm still very new to this, so I could be missing something really basic.

:-Dan

Re: Adding fields to the output of a CLI search

somesoni2 — Tue, 04 Mar 2014 19:06:54 GMT

The field picker and the fields index/source/sourcetype is a Splunk GUI feature (provides metadata about the search result) and is not available in Splunk CLI (understandably). If you wish to see these fields into your result, you would have to use search commands like table.

e.g.

# splunk search " your search | table source, sourcetype, host, your other fields from search result"

Re: Adding fields to the output of a CLI search

dmalcor — Tue, 04 Mar 2014 19:23:50 GMT

The "table" command gave me the other half. Now I can get the host, source, and sourcetype, but I'm missing the actual search results. I tried adding "_raw", but that just gets me the results (same as before):

# splunk search "reboot | table host, source, _raw"

Re: Adding fields to the output of a CLI search

dmalcor — Tue, 04 Mar 2014 19:24:17 GMT

# splunk search "reboot | table host, source, _raw"

Re: Adding fields to the output of a CLI search

somesoni2 — Tue, 04 Mar 2014 20:04:12 GMT

Try this.

splunk search "reboot| table host, source , *"

This will give all the columns you need. I don't think you would be able to see the event listing (way to see in GUI) + these three additional columns. If you are interested in specific column, specify them in the table command.

Re: Adding fields to the output of a CLI search

dmalcor — Tue, 04 Mar 2014 22:39:31 GMT

It seem like we can't get the message and the details on the same line. The "" is no different than no "".