- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm running into an issue with the syntax for a CLI search using erex.
The problem seems to be with the double quotes. I've tried single quoting the erex examples and counter examples, but none of it seems effective.
This search works in the GUI:
index=name searchterm NOT otherterm |erex message examples="/foo/bar,/foobar" counterexamples="barfoo, foobar" |table item1,item2,item3,item4,item5 |uniq |sort item3
In the CLI, I've tried it a couple of different ways, and the closest I've gotten to a working search is:
index=name searchterm NOT otherterm |erex message examples='/foo/bar,/foobar' counterexamples='barfoo, foobar' |table item1,item2,item3,item4,item5 |uniq |sort item3
the CLI search results in "INFO: No matching fields exist"
Do any of you know what I'm doing wrong here?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the CLI command you're using?
Should be like this:
./splunk search 'index=name searchterm NOT otherterm |erex message examples="/foo/bar,/foobar" counterexamples="barfoo, foobar" |table item1,item2,item3,item4,item5 |uniq |sort item3'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the CLI command you're using?
Should be like this:
./splunk search 'index=name searchterm NOT otherterm |erex message examples="/foo/bar,/foobar" counterexamples="barfoo, foobar" |table item1,item2,item3,item4,item5 |uniq |sort item3'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks jkat54! That worked perfectly. Sorry for the delayed reply, work got in the way of work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem at all, thanks for coming back! @jphilput1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have never used the CLI, but I'm guessing from your description that it involves putting your SPL search string inside quotes and that the " inside your search are interfering with that? If that's the case, have you tried escaping all " with a backslash?