Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk - Rest API - Curl - Failing with Unbalanced Quotes

Maries
Loves-to-Learn
‎03-13-2024 09:02 PM

Hi,

 

I'm trying to write data to outputlookup file by doing a REST API Call (by running a search query).

The below command works and writes data to outputlookup csv file when running the search directly from Splunk.

| stats count as field1 | eval field1="host_abc;host_def" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 "(?<host>.*)" | table host | outputlookup test_maintenance.csv

But this is not working when executing the above search using REST API.

Getting the below error "Unbalanced quotes" when running the below command

curl -k -u admin:admin https://splunksearchnode:8089/servicesNS/admin/search/jobs/export -d search="| stats count as field1 | eval field1=\"host_abc;host_def\" | eval field1=split(field1,\";\") | mvexpand field1 | rex field=field1 \"(?<host>.*)\" | table host | outputlookup test_maintenance.csv"

Getting the below error  when running the below command

Error : Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at '\'host_abc'.</msg></messages></response>

curl -k -u admin:admin https://splunksearchnode:8089/servicesNS/admin/search/jobs/export -d search='| stats count as field1 | eval field1=\"host_abc;host_def\" | eval field1=split(field1,\";\") | mvexpand field1 | rex field=field1 \"(?<host>.*)\" | table host | outputlookup test_maintenance.csv'

Appreciate your help.

 

Thank you

 

 

Labels (2)
Labels
0 Karma
Reply

kartm2020
Communicator
‎03-14-2024 12:13 AM

Hi Maries,

Please try with the below search

<your curl command> -d search= "search index=<indexname> | stats count as field1 | eval field1="dallvcflwb110u,yes;dallvcflwb120u,yes" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 \"(?<host>.*),(?<mode>.*)\" | table host mode | outputlookup atlassian_maintenance.csv"
0 Karma
Reply

Maries
Loves-to-Learn
‎03-13-2024 11:40 PM

This is working when we query directly from Splunk Search.. 

| stats count as field1 | eval field1="dallvcflwb110u,yes;dallvcflwb120u,yes" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 "(?<host>.*),(?<mode>.*)" | table host mode | outputlookup atlassian_maintenance.csv

 

But when we try hitting using curl and its failing . 

curl -k -u admin:Vzadmin@12 https://dallpsplsh01sp.tpd-soe.net:8089/servicesNS/admin/SRE/search/jobs/export -d search="| stats count as field1 | eval field1="dallvcflwb110u,yes;dallvcflwb120u,yes" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 "(?<host>.*),(?<mode>.*)" | table host mode | outputlookup atlassian_maintenance.csv"

 

-bash: syntax error near unexpected token `?'

 

 

 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-14-2024 12:04 AM

Hi

please don't add your admin user + it's pass to any posts. Or actually write those on cmd as those are stored into history files and/or are seen on process list! Much better way is to read those into variable and then use that on queries. You could do it like

 

read USERPASS
admin:<your pass here>
^D
curl -ku $USERPASS .....

 

Also don't add your real node name into examples!

As you are in linux/*nix you could replace those outer " with ' and then it should work. Then you are not needs \" inside your SPL.

curl -ku $USERPASS https://<your splunk SH>:<mgmt port>/servicesNS/admin/SRE/search/jobs/export -d search='| stats count as field1 | eval field1="dallvcflwb110u,yes;dallvcflwb120u,yes" | eval field1=split(field1,";") | mvexpand field1 | rex field=field1 "(?<host>.*),(?<mode>.*)" | table host mode | outputlookup atlassian_maintenance.csv'

In windows this didn't work ;-(

r. Ismo 

0 Karma
Reply

Karthi
New Member
‎03-13-2024 11:15 PM

Hi,

can you please remove the "\" and give a try

Karthi_0-1710396893621.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...