Splunk Enterprise

Need help with Query using AND/OR and NOT IN Operators

New Member

Hello All, I am trying to run a search query via API's and getting errors. I am trying to utilize AND/OR and NOT IN operators. The query is getting results from Splunk UI but it is not working via API Calls.

QUERY:
index=node message=abc appId="xyz" items.x_id != "" OR items.data.ed_id!=“”

API CALL:
curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId="xyz" items.x_id != "" OR items.data.ed_id!=“” earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml

I have tried multiple combinations with quotes and no quotes but was not able to figure out. Your help and guidance would be greatly appreciated.

Labels (1)
Tags (1)
0 Karma
1 Solution

Influencer

Mask double quotes with backslash in data.

curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId=\"xyz\" items.x_id != \"\" OR items.data.ed_id!=\"\" earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml

And also check test1.xml. Error messages will be written there.

View solution in original post

0 Karma

Esteemed Legend

never mix AND (implied) and OR without using parentheses ().

0 Karma

Influencer

Mask double quotes with backslash in data.

curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId=\"xyz\" items.x_id != \"\" OR items.data.ed_id!=\"\" earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml

And also check test1.xml. Error messages will be written there.

View solution in original post

0 Karma

New Member

Thank you, I am still getting no results with the API Call. The bottom part of the message has the output. I played with the syntax and found out the following syntax is the culprit.

items.data.fed_id != \"\" OR items.institution_id != \"\"

Do I have to list items in a different format?

OUTPUT:
Configuration initialization for D:\Splunk\etc took 32ms when dispatching a search (search ID: 1585678811.20528)
base lispy: [ AND counter index::node jw logger report static ui ]
search context: user="jw_search", app="search", bs-pathname="D:\Splunk\etc"
Your timerange was substituted based on your search string
Eventtype 'wineventlog_application' does not exist or is disabled.
Eventtype 'wineventlog_security' does not exist or is disabled.
Eventtype 'wineventlog_system' does not exist or is disabled.

0 Karma