Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk CLI Exception: Error result had no _raw key

hbazan
Path Finder
‎09-08-2010 06:47 PM

Hi there. I'm running some saved searches using splunk CLI, and some of them work fine, but one (obviously the one I need to run) give me this:

Error result had no _raw key

This is the command I use: splunk search "|savedsearch \"My Saved Search\""

The saved search is supposed to return a table, not the raw results. I haven't found any description for that exception message

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-09-2010 06:11 AM

This means that the CLI thought that it should render raw results but was not given any. If you can share your search, I might be able to give some insight as to why (or file a bug). A quick workaround is to add "-output table" to your argument list.

View solution in original post

Reply
Solved! Jump to solution

AppleMark
New Member
‎06-24-2016 11:32 AM

Thanks! This case helped me understand that
-output rawdata
is based on the contents of the _raw field and that any field filtering is ignored.

For example:
splunk search 'index=anIndex some=criteria | fields + foo, bar' -output rawdata
gives all fields and is not limited to foo and bar, which is my goal.

Removing the special fields starting with underscore:
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output rawdata
gives the error:
Error result had no _raw key

Ultimately I changed the query output to 'raw':
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output raw
and now I get only the fields foo and bar in my results!

Unfortunately the output format of 'raw' is different from 'rawdata' and thus I need to adjust my down stream processing but that's the next step.

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-09-2010 06:11 AM

This means that the CLI thought that it should render raw results but was not given any. If you can share your search, I might be able to give some insight as to why (or file a bug). A quick workaround is to add "-output table" to your argument list.

Reply
Solved! Jump to solution

hbazan
Path Finder
‎09-09-2010 01:51 PM

Great. "-output table" did the trick. My search use transaction to group events, and then show a table with the results, but the _raw data can contain grouped events with thousands of lines, I think that was the problem.

0 Karma
Reply
Solved! Jump to solution

southeringtonp
Motivator
‎09-08-2010 11:25 PM

Have you tried running the same search from the GUI using the savedsearch command there? Does that produce any further detail on the error?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...