Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk CLI Exception: Error result had no _raw key

hbazan
Path Finder
‎09-08-2010 06:47 PM

Hi there. I'm running some saved searches using splunk CLI, and some of them work fine, but one (obviously the one I need to run) give me this:

Error result had no _raw key

This is the command I use: splunk search "|savedsearch \"My Saved Search\""

The saved search is supposed to return a table, not the raw results. I haven't found any description for that exception message

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-09-2010 06:11 AM

This means that the CLI thought that it should render raw results but was not given any. If you can share your search, I might be able to give some insight as to why (or file a bug). A quick workaround is to add "-output table" to your argument list.

View solution in original post

Reply
Solved! Jump to solution

AppleMark
New Member
‎06-24-2016 11:32 AM

Thanks! This case helped me understand that
-output rawdata
is based on the contents of the _raw field and that any field filtering is ignored.

For example:
splunk search 'index=anIndex some=criteria | fields + foo, bar' -output rawdata
gives all fields and is not limited to foo and bar, which is my goal.

Removing the special fields starting with underscore:
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output rawdata
gives the error:
Error result had no _raw key

Ultimately I changed the query output to 'raw':
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output raw
and now I get only the fields foo and bar in my results!

Unfortunately the output format of 'raw' is different from 'rawdata' and thus I need to adjust my down stream processing but that's the next step.

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-09-2010 06:11 AM

This means that the CLI thought that it should render raw results but was not given any. If you can share your search, I might be able to give some insight as to why (or file a bug). A quick workaround is to add "-output table" to your argument list.

Reply
Solved! Jump to solution

hbazan
Path Finder
‎09-09-2010 01:51 PM

Great. "-output table" did the trick. My search use transaction to group events, and then show a table with the results, but the _raw data can contain grouped events with thousands of lines, I think that was the problem.

0 Karma
Reply
Solved! Jump to solution

southeringtonp
Motivator
‎09-08-2010 11:25 PM

Have you tried running the same search from the GUI using the savedsearch command there? Does that produce any further detail on the error?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...