Solved: CLI Search Command: Why does search that includes ...

williamcharlton · ‎10-07-2019

This cli search command works from a machine with a universal forwarder:

splunk search "index="foo" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

Output in cmd window:

INFO: Your timerange was substituted based on your search string

bar        first(SensorDateTime)
---------- ------------------------------------
C:\x\A.txt 10/2/2019 9:59:11 PM
C:\x\B.txt 10/2/2019 9:59:11 PM
C:\x\C.txt 10/2/2019 9:59:11 PM
C:\x\D.txt 10/2/2019 9:59:11 PM
C:\x\E.txt 10/2/2019 9:59:11 PM
C:\x\F.txt 10/2/2019 9:59:11 PM
C:\x\G.txt 10/2/2019 9:59:11 PM
C:\x\H.txt 10/2/2019 9:59:11 PM
C:\x\I.txt 10/2/2019 9:59:11 PM
C:\x\J.txt 10/2/2019 9:59:11 PM
C:\y\A.txt 9/30/2019 9:53:20 PM
C:\y\B.txt 9/30/2019 9:53:20 PM
C:\y\C.txt 9/30/2019 9:53:20 PM
C:\y\D.txt 9/30/2019 9:53:20 PM
C:\y\E.txt 9/30/2019 9:53:20 PM
C:\y\F.txt 9/30/2019 9:53:20 PM
C:\y\G.txt 9/30/2019 9:53:20 PM
C:\y\H.txt 9/30/2019 9:53:20 PM
C:\y\I.txt 9/30/2019 9:53:20 PM
C:\y\J.txt 9/30/2019 9:53:20 PM

But, when I do this:

splunk search "index="foo" bar="C:\x\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

or

splunk search "index="foo" bar="C:\\x\\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

I get nothing back. I expect to get back one event:

 bar        first(SensorDateTime)
 ---------- -------------------------------------
 C:\x\A.txt 10/2/2019 9:59:11 PM

Why can't I include bar="C:\x\A.txt" in my search and get results?

p.s. This search works fine when I execute it from the indexer or search head web page:

williamcharlton · ‎10-25-2019

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

View solution in original post

williamcharlton · ‎10-25-2019

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

williamcharlton · ‎10-07-2019

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

ololdach · ‎10-07-2019

Try single quotes around your search: splunk search 'index="foo" bar="C:\x\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar' -preview false -uri https://indexer:8089

williamcharlton · ‎10-07-2019

tried it - batch file crashed:

'stats' is not recognized as an internal or external command, operable program or batch file.

I'm pretty sure apostrophes (single quotes) are ignored by cmd.exe

Can't find a Microsoft source, but:

What does single quote do in windows batch files?

https://stackoverflow.com/questions/24173825/what-does-single-quote-do-in-windows-batch-files

Single quotes are not used at all by
the cmd.exe command processor except
to enclose the command to run within a
FOR /F statement:

ololdach · ‎10-09-2019

Sorry, my mistake. Windows is special, I assumes Linux/Mac and only tested on those.

williamcharlton · ‎10-07-2019

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

CLI Search Command: Why does search that includes a field name fail?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

CLI Search Command: Why does search that includes a field name fail?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25