Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to "pipe" output to another search command from the Splunk CLI in Windows?

williamche
Path Finder
‎10-07-2010 03:43 PM

I'm trying to execute some queries from the Command Line on a Windows Splunk server. As long as I don't use the "pipe" symbol to perform additional filters, the results come back fine. If I tried to "pipe" the results to the "head" command, for example, in the following query:

E:\Apps\Splunk\bin>splunk search 'sourcetype=syslog | head 5 | table host index _time'

Windows would return the following error:

'head' is not recognized as an internal or external command, operable program or batch file.

This error occurs for all command I want to pipe the results to, not just the "head" command. The same command line query works perfectly in the Linux version of Splunk.

The CLI examples given in the documenataion and from the "splunk help search" command does not reference piping results to additional commands. Does anyone know the proper way to format a CLI query with pipes in the Windows version of Splunk?

Thanks.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

williamche
Path Finder
‎10-07-2010 03:45 PM

I feel like cheating by answering my own question, but the proper way to format a CLI query in Windows Splunk is to wrap the query in double-quotes.

So instead of:

E:\Apps\Splunk\bin>splunk search 'sourcetype=syslog | head 5 | table host index _time'

It should be:

E:\Apps\Splunk\bin>splunk search "sourcetype=syslog | head 5 | table host index _time"

In Linux its still single quotes.

View solution in original post

Reply
Solved! Jump to solution
Solution

williamche
Path Finder
‎10-07-2010 03:45 PM

I feel like cheating by answering my own question, but the proper way to format a CLI query in Windows Splunk is to wrap the query in double-quotes.

So instead of:

E:\Apps\Splunk\bin>splunk search 'sourcetype=syslog | head 5 | table host index _time'

It should be:

E:\Apps\Splunk\bin>splunk search "sourcetype=syslog | head 5 | table host index _time"

In Linux its still single quotes.

Reply
Solved! Jump to solution

jevenson
Path Finder
‎01-08-2013 08:49 AM

I know this is old, but I thought I'd add that in Powershell, you still use the single quote, not double.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎10-07-2010 05:53 PM

BTW, It's perfectly acceptable to answer your own question, but you may have to wait a few days before you can "accept" your own answer. Which you should do.

Reply
Solved! Jump to solution

Lowell
Super Champion
‎10-07-2010 05:51 PM

Just wanted to point out that the question is less to do with Linux vs Windows, and more to do with BASH (or whatever shell you're using) vs the windows shell (cmd.exe). For example, on Linux you could to use a different shell and it could behave differently; but I would expect that most shell should work fine with single quotes or double quotes. On Windows you have less choices out of the box, but you can install and use bash (with cygwin, or something similar) if you wanted to.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...