Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CLI search query not giving results. Working fine on searchhead GUI

Reethika
Path Finder
‎07-22-2020 11:41 PM

Hi,

/opt/splunk/bin/splunk search " index=****  sourcetype="*****:proxylogs" earliest=-15m@m latest=now | fields action,bytes,bytes_in,bytes_out,src,category,date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year,date_zone,url,site,domain,dest_ip,user,user_bunit,user_work_city,user_work_country,user_work_lat,user_work_long,_time | table action,bytes,bytes_in,bytes_out,src,category,date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year,date_zone,url,site,domain,dest_ip,user,user_bunit,user_work_city,user_work_country,user_work_lat,user_work_long,_time ')"

Result : INFO: No matching fields exist.
                INFO: Your timerange was substituted based on your search string

Above is the search for which no results are returned from CLI. 

From GUI(Searchhead) I get results. 

 

Could anyone please help. 

Thanks

Labels (1)
Labels
Tags (2)
0 Karma
Reply

niketn
Legend
‎07-23-2020 05:16 AM

Can you try the following:

 

./splunk search 'index=****  sourcetype="*****:proxylogs" earliest=-15m@m latest=now | fields index,sourcetype,action,bytes,bytes_in,bytes_out,src,category,date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year,date_zone,url,site,domain,dest_ip,user,user_bunit,user_work_city,user_work_country,user_work_lat,user_work_long,_time | table index,sourcetype,action,bytes,bytes_in,bytes_out,src,category,date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year,date_zone,url,site,domain,dest_ip,user,user_bunit,user_work_city,user_work_country,user_work_lat,user_work_long,_time'

 Also do you not get any result even if you increase the time window for the search?

I tried the following and it worked fine. (I had some data with csv sourcetype and did not have all the fields).

 ./splunk search 'index=****  sourcetype="*****_csv" earliest=-1mon latest=now | fields index,sourcetype,action,bytes,bytes_in,bytes_out,src,category,date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year,date_zone,url,site,domain,dest_ip,user,user_bunit,user_work_city,user_work_country,user_work_lat,user_work_long,_time | table index,sourcetype,action,bytes,bytes_in,bytes_out,src,category,date_hour,date_mday,date_minute,date_month,date_second,date_wday,date_year,date_zone,url,site,domain,dest_ip,user,user_bunit,user_work_city,user_work_country,user_work_lat,user_work_long,_time'

 

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...