Solved: CLI Search Command: Why does search that includes ...

williamcharlton · ‎10-07-2019

This cli search command works from a machine with a universal forwarder:

splunk search "index="foo" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

Output in cmd window:

INFO: Your timerange was substituted based on your search string

bar        first(SensorDateTime)
---------- ------------------------------------
C:\x\A.txt 10/2/2019 9:59:11 PM
C:\x\B.txt 10/2/2019 9:59:11 PM
C:\x\C.txt 10/2/2019 9:59:11 PM
C:\x\D.txt 10/2/2019 9:59:11 PM
C:\x\E.txt 10/2/2019 9:59:11 PM
C:\x\F.txt 10/2/2019 9:59:11 PM
C:\x\G.txt 10/2/2019 9:59:11 PM
C:\x\H.txt 10/2/2019 9:59:11 PM
C:\x\I.txt 10/2/2019 9:59:11 PM
C:\x\J.txt 10/2/2019 9:59:11 PM
C:\y\A.txt 9/30/2019 9:53:20 PM
C:\y\B.txt 9/30/2019 9:53:20 PM
C:\y\C.txt 9/30/2019 9:53:20 PM
C:\y\D.txt 9/30/2019 9:53:20 PM
C:\y\E.txt 9/30/2019 9:53:20 PM
C:\y\F.txt 9/30/2019 9:53:20 PM
C:\y\G.txt 9/30/2019 9:53:20 PM
C:\y\H.txt 9/30/2019 9:53:20 PM
C:\y\I.txt 9/30/2019 9:53:20 PM
C:\y\J.txt 9/30/2019 9:53:20 PM

But, when I do this:

splunk search "index="foo" bar="C:\x\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

or

splunk search "index="foo" bar="C:\\x\\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar" -preview false -uri https://indexer:8089

I get nothing back. I expect to get back one event:

 bar        first(SensorDateTime)
 ---------- -------------------------------------
 C:\x\A.txt 10/2/2019 9:59:11 PM

Why can't I include bar="C:\x\A.txt" in my search and get results?

p.s. This search works fine when I execute it from the indexer or search head web page:

williamcharlton · ‎10-25-2019

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

View solution in original post

williamcharlton · ‎10-25-2019

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

williamcharlton · ‎10-07-2019

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

ololdach · ‎10-07-2019

Try single quotes around your search: splunk search 'index="foo" bar="C:\x\A.txt" earliest=-7d | sort -SensorDateTime | stats first(SensorDateTime) by bar' -preview false -uri https://indexer:8089

williamcharlton · ‎10-07-2019

tried it - batch file crashed:

'stats' is not recognized as an internal or external command, operable program or batch file.

I'm pretty sure apostrophes (single quotes) are ignored by cmd.exe

Can't find a Microsoft source, but:

What does single quote do in windows batch files?

https://stackoverflow.com/questions/24173825/what-does-single-quote-do-in-windows-batch-files

Single quotes are not used at all by
the cmd.exe command processor except
to enclose the command to run within a
FOR /F statement:

ololdach · ‎10-09-2019

Sorry, my mistake. Windows is special, I assumes Linux/Mac and only tested on those.

williamcharlton · ‎10-07-2019

FYI - ignore this question - I decide to use the REST api instead since the cli seems so ........ buggy

CLI Search Command: Why does search that includes a field name fail?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...