Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

CLI Search Command: Why does search that includes a field name fail?

williamcharlton
Path Finder
‎10-07-2019 08:09 AM

This cli search command works from a machine with a universal forwarder:

splunk search "index="foo" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

Output in cmd window:

INFO: Your timerange was substituted based on your search string

bar        first(SensorDateTime)
---------- ------------------------------------
C:\x\A.txt 10/2/2019 9:59:11 PM
C:\x\B.txt 10/2/2019 9:59:11 PM
C:\x\C.txt 10/2/2019 9:59:11 PM
C:\x\D.txt 10/2/2019 9:59:11 PM
C:\x\E.txt 10/2/2019 9:59:11 PM
C:\x\F.txt 10/2/2019 9:59:11 PM
C:\x\G.txt 10/2/2019 9:59:11 PM
C:\x\H.txt 10/2/2019 9:59:11 PM
C:\x\I.txt 10/2/2019 9:59:11 PM
C:\x\J.txt 10/2/2019 9:59:11 PM
C:\y\A.txt 9/30/2019 9:53:20 PM
C:\y\B.txt 9/30/2019 9:53:20 PM
C:\y\C.txt 9/30/2019 9:53:20 PM
C:\y\D.txt 9/30/2019 9:53:20 PM
C:\y\E.txt 9/30/2019 9:53:20 PM
C:\y\F.txt 9/30/2019 9:53:20 PM
C:\y\G.txt 9/30/2019 9:53:20 PM
C:\y\H.txt 9/30/2019 9:53:20 PM
C:\y\I.txt 9/30/2019 9:53:20 PM
C:\y\J.txt 9/30/2019 9:53:20 PM

But, when I do this:

splunk search "index="foo" bar="C:\x\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

or

splunk search "index="foo" bar="C:\\x\\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

I get nothing back. I expect to get back one event:

 bar        first(SensorDateTime)
 ---------- -------------------------------------
 C:\x\A.txt 10/2/2019 9:59:11 PM

Why can't I include bar="C:\x\A.txt" in my search and get results?

p.s. This search works fine when I execute it from the indexer or search head web page:

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

williamcharlton
Path Finder
‎10-25-2019 09:45 AM

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

williamcharlton
Path Finder
‎10-25-2019 09:45 AM

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

0 Karma
Reply
Solved! Jump to solution

williamcharlton
Path Finder
‎10-07-2019 10:34 AM

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

0 Karma
Reply
Solved! Jump to solution

ololdach
Builder
‎10-07-2019 09:25 AM

Try single quotes around your search: splunk search 'index="foo" bar="C:\x\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar' -preview false -uri https://indexer:8089

0 Karma
Reply
Solved! Jump to solution

williamcharlton
Path Finder
‎10-07-2019 10:25 AM

tried it - batch file crashed:

'stats' is not recognized as an internal or external command, operable program or batch file.

I'm pretty sure apostrophes (single quotes) are ignored by cmd.exe

Can't find a Microsoft source, but:

What does single quote do in windows batch files?

https://stackoverflow.com/questions/24173825/what-does-single-quote-do-in-windows-batch-files

Single quotes are not used at all by
the cmd.exe command processor except
to enclose the command to run within a
FOR /F statement:

0 Karma
Reply
Solved! Jump to solution

ololdach
Builder
‎10-09-2019 02:53 AM

Sorry, my mistake. Windows is special, I assumes Linux/Mac and only tested on those.

0 Karma
Reply
Solved! Jump to solution

williamcharlton
Path Finder
‎10-07-2019 10:34 AM

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...