topic Re: Why my CLI query returns empty field values in Splunk Search

Why my CLI query returns empty field values

vkakani60 — Sat, 10 Sep 2016 18:16:58 GMT

My query works from Splunk Web UI and returns field values of Source in a table form, but it doesn't work from the CLI.

Splunk web returns

Source 
==========
stock
funds

Splunk CLI returns output EMPTY

Source
===========

Splunk CLI doesn't returns the field values with the table command.

splunk search "index=apps sourcetype=weblogs | rex field=_raw \'Source:\s(?<Source>.*)\' | search Source | dedup Source | table Source"  user admin password changeme

I have tried with eval and fields command instead of table

splunk search "index=apps sourcetype=weblogs | rex field=_raw \'Source:\s(?<Source>.*)\' | search Source | dedup Source | eval chicken=Source | fields chicken"  user admin password changeme

but still it output empty values

chicken
===========

But it works well in web search results

Is there any other way to display the field values from command interface ?

Re: Why my CLI query returns empty field values

dwaddle — Sat, 10 Sep 2016 18:39:32 GMT

What search exactly are you running successfully in the search bar? Sounds like a quoting issue in the shell.

Re: Why my CLI query returns empty field values

jkat54 — Sat, 10 Sep 2016 20:05:48 GMT

I'm thinking it has to do with the time picker. In web ui you probably have all time selected but it doesn't appear you're specifying a time in cli and I don't know what it defaults to.

Re: Why my CLI query returns empty field values

jkat54 — Sat, 10 Sep 2016 20:09:46 GMT

Maybe Your search should start with the search command?

splunk search "search ..."

Also you might want some time modifiers.

See this reference http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/CLIsearchsyntax

Re: Why my CLI query returns empty field values

dwaddle — Sat, 10 Sep 2016 21:27:21 GMT

Trying to back-pedal from the example you gave from the CLI, I still think your issue is related to shell quoting. Going back to the updates I gave to your other question, https://answers.splunk.com/answers/449193/how-to-run-rex-commands-from-cli-mode.html#answer-450021 ... using set -x in the shell prompt helps you see better how shell expansion and quoting rules are affecting what is passed on to Splunk.

Given what you show above, your most likely to be successful CLI command is probably:

splunk search 'index=apps sourcetype=weblogs | rex field=_raw "Source:\s(?<Source>.*)" | search Source | dedup Source | table Source'

We wrap the whole SPL command in single quotes ' because that is the environment where the shell does the LEAST amount of interpretation and replacement. From the bash man page:

Enclosing characters in single quotes preserves the literal value ofeach character within the quotes. A single quote may not occur between single quotes, even when preceded by a backslash.

Re: Why my CLI query returns empty field values

jkat54 — Sat, 10 Sep 2016 22:04:22 GMT

The more I think about it the more I agree with you! Seems like last time I did this I made the same mistake and swapped quotes around to fix it.

Re: Why my CLI query returns empty field values

vkakani60 — Mon, 12 Sep 2016 01:08:46 GMT

It doesn't help me in any way. Moreover, if I keep " double quote at REX it throws me an error, and \" doesn't work for REX anyway. And I am using windows machine cmd prompt, shell and bash don't apt to this scenario ?

Re: Why my CLI query returns empty field values

vkakani60 — Mon, 12 Sep 2016 01:23:38 GMT

splunk search "search .,. " is not valid command.

Re: Why my CLI query returns empty field values

vkakani60 — Mon, 12 Sep 2016 01:24:27 GMT

I have tried with -index_earliest parameter. its display empty field value.

Re: Why my CLI query returns empty field values

jkat54 — Mon, 12 Sep 2016 02:07:53 GMT

Oh well now you tell us 🙂
Are you doing this in a script?

Re: Why my CLI query returns empty field values

dwaddle — Mon, 12 Sep 2016 18:31:42 GMT

It helps you plenty. If you are running a Splunk CLI search via the Windows CMD prompt, then you need to understand the quoting rules IT uses. It's the same thing, only different. When you're using a command line shell to run a command - regardless of what the command line shell is - you are subject to how IT interprets and quotes input before it passes it along to the child process it is starting on your behalf.

If you are not using CMD, but using PowerShell instead - it may have different quoting rules that you have to account for.

A quick google search of "windows command prompt quoting rules" brings these resources:

http://ss64.com/nt/syntax-esc.html

https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/

http://stackoverflow.com/questions/7760545/escape-double-quotes-in-parameter

http://stackoverflow.com/questions/24173825/what-does-single-quote-do-in-windows-batch-files