Archive
Highlighted

Splunk CLI Exception: Error result had no _raw key

Path Finder

Hi there. I'm running some saved searches using splunk CLI, and some of them work fine, but one (obviously the one I need to run) give me this:

Error result had no _raw key

This is the command I use: splunk search "|savedsearch \"My Saved Search\""

The saved search is supposed to return a table, not the raw results. I haven't found any description for that exception message

Tags (2)
0 Karma
Highlighted

Re: Splunk CLI Exception: Error result had no _raw key

Motivator

Have you tried running the same search from the GUI using the savedsearch command there? Does that produce any further detail on the error?

0 Karma
Highlighted

Re: Splunk CLI Exception: Error result had no _raw key

Splunk Employee
Splunk Employee

This means that the CLI thought that it should render raw results but was not given any. If you can share your search, I might be able to give some insight as to why (or file a bug). A quick workaround is to add "-output table" to your argument list.

View solution in original post

Highlighted

Re: Splunk CLI Exception: Error result had no _raw key

Path Finder

Great. "-output table" did the trick. My search use transaction to group events, and then show a table with the results, but the _raw data can contain grouped events with thousands of lines, I think that was the problem.

0 Karma
Highlighted

Re: Splunk CLI Exception: Error result had no _raw key

New Member

Thanks! This case helped me understand that
-output rawdata
is based on the contents of the _raw field and that any field filtering is ignored.

For example:
splunk search 'index=anIndex some=criteria | fields + foo, bar' -output rawdata
gives all fields and is not limited to foo and bar, which is my goal.

Removing the special fields starting with underscore:
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output rawdata
gives the error:
Error result had no _raw key

Ultimately I changed the query output to 'raw':
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output raw
and now I get only the fields foo and bar in my results!

Unfortunately the output format of 'raw' is different from 'rawdata' and thus I need to adjust my down stream processing but that's the next step.

0 Karma