Splunk Search

CLI Search Command: Why does search that includes a field name fail?

williamcharlton
Path Finder

This cli search command works from a machine with a universal forwarder:

splunk search "index="foo" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

Output in cmd window:

INFO: Your timerange was substituted based on your search string

bar        first(SensorDateTime)
---------- ------------------------------------
C:\x\A.txt 10/2/2019 9:59:11 PM
C:\x\B.txt 10/2/2019 9:59:11 PM
C:\x\C.txt 10/2/2019 9:59:11 PM
C:\x\D.txt 10/2/2019 9:59:11 PM
C:\x\E.txt 10/2/2019 9:59:11 PM
C:\x\F.txt 10/2/2019 9:59:11 PM
C:\x\G.txt 10/2/2019 9:59:11 PM
C:\x\H.txt 10/2/2019 9:59:11 PM
C:\x\I.txt 10/2/2019 9:59:11 PM
C:\x\J.txt 10/2/2019 9:59:11 PM
C:\y\A.txt 9/30/2019 9:53:20 PM
C:\y\B.txt 9/30/2019 9:53:20 PM
C:\y\C.txt 9/30/2019 9:53:20 PM
C:\y\D.txt 9/30/2019 9:53:20 PM
C:\y\E.txt 9/30/2019 9:53:20 PM
C:\y\F.txt 9/30/2019 9:53:20 PM
C:\y\G.txt 9/30/2019 9:53:20 PM
C:\y\H.txt 9/30/2019 9:53:20 PM
C:\y\I.txt 9/30/2019 9:53:20 PM
C:\y\J.txt 9/30/2019 9:53:20 PM

But, when I do this:

splunk search "index="foo" bar="C:\x\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

or

splunk search "index="foo" bar="C:\\x\\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

I get nothing back. I expect to get back one event:

 bar        first(SensorDateTime)
 ---------- -------------------------------------
 C:\x\A.txt 10/2/2019 9:59:11 PM

Why can't I include bar="C:\x\A.txt" in my search and get results?

p.s. This search works fine when I execute it from the indexer or search head web page:

0 Karma
1 Solution

williamcharlton
Path Finder

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

View solution in original post

0 Karma

williamcharlton
Path Finder

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

0 Karma

williamcharlton
Path Finder

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

0 Karma

ololdach
Builder

Try single quotes around your search: splunk search 'index="foo" bar="C:\x\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar' -preview false -uri https://indexer:8089

0 Karma

williamcharlton
Path Finder

tried it - batch file crashed:

'stats' is not recognized as an internal or external command, operable program or batch file.

I'm pretty sure apostrophes (single quotes) are ignored by cmd.exe

Can't find a Microsoft source, but:

What does single quote do in windows batch files?

https://stackoverflow.com/questions/24173825/what-does-single-quote-do-in-windows-batch-files

Single quotes are not used at all by
the cmd.exe command processor except
to enclose the command to run within a
FOR /F statement:

0 Karma

ololdach
Builder

Sorry, my mistake. Windows is special, I assumes Linux/Mac and only tested on those.

0 Karma

williamcharlton
Path Finder

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...