Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Need help with Query using AND/OR and NOT IN Opera...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All, I am trying to run a search query via API's and getting errors. I am trying to utilize AND/OR and NOT IN operators. The query is getting results from Splunk UI but it is not working via API Calls.
QUERY:
index=node message=abc appId="xyz" items.x_id != "" OR items.data.ed_id!=“”
API CALL:
curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId="xyz" items.x_id != "" OR items.data.ed_id!=“” earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml
I have tried multiple combinations with quotes and no quotes but was not able to figure out. Your help and guidance would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mask double quotes with backslash in data.
curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId=\"xyz\" items.x_id != \"\" OR items.data.ed_id!=\"\" earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml
And also check test1.xml. Error messages will be written there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
never mix AND (implied) and OR without using parentheses ().
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mask double quotes with backslash in data.
curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId=\"xyz\" items.x_id != \"\" OR items.data.ed_id!=\"\" earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml
And also check test1.xml. Error messages will be written there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I am still getting no results with the API Call. The bottom part of the message has the output. I played with the syntax and found out the following syntax is the culprit.
items.data.fed_id != \"\" OR items.institution_id != \"\"
Do I have to list items in a different format?
OUTPUT:
Configuration initialization for D:\Splunk\etc took 32ms when dispatching a search (search ID: 1585678811.20528)
base lispy: [ AND counter index::node jw logger report static ui ]
search context: user="jw_search", app="search", bs-pathname="D:\Splunk\etc"
Your timerange was substituted based on your search string
Eventtype 'wineventlog_application' does not exist or is disabled.
Eventtype 'wineventlog_security' does not exist or is disabled.
Eventtype 'wineventlog_system' does not exist or is disabled.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
