Splunk Search

Problem with "search" from Windows batch file

logicasrl
Explorer

Hi all,

I've got a problem with the execution of this command from a Windows ".bat" script:

  • splunk.exe search "| savedsearch test01" -app windows -format csv -auth admin:password > C:\temp\splunklocalhost.csv

The command works perfectly from a command prompt (I'm on a Windows Server 2008 Standard).

Tried also:

  • splunk.exe search """| savedsearch test01""" -app windows -format csv -auth admin:password > C:\temp\splunklocalhost.csv

and:

  • splunk.exe search \"| savedsearch test01\" -app windows -format csv -auth admin:password > C:\temp\splunklocalhost.csv

with no luck.

The suspect is that there is something wrong with the double quotes and that the parameters are not passed correctly (by the Windows command interpreter) to "splunk.exe".

Any ideas?

Thank you very much, Luca

Tags (4)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

good, btw i am pulling this out as a "correct" answer, so when you get a chance please "accept" it so people will know it's solved.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

The following pulled from comments:

you might also try renaming your script to .cmd instead of .bat, as there is some possibility that it makes a difference in which command processor (cmd.exe vs command.com) gets invoked - gkanapathy May 18 at 11:33

SOLVED 🙂 The solution is to use ".cmd" and NOT ".bat" (at least in Win2008). With a ".cmd" script, there is NO NEED of doubling the double quotes and everything goes smooth. Thank you very much for the hint, gkanapathy 😉 Luca - logicasrl May 19 at 12:34

gkanapathy
Splunk Employee
Splunk Employee

I do have to say, I would have thought that the difference would be gone by Windows 2008. Apparently backwards compatibility is that important to Microsoft.

0 Karma

logicasrl
Explorer

SOLVED 🙂
The solution is to use ".cmd" and NOT ".bat" (at least in Win2008).
With a ".cmd" script, there is NO NEED of doubling the double quotes and everything goes smooth.
Thank you very much for the hint, gkanapathy 😉
Luca

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I suspect it's because Windows considers the | vertical bar to be some kind of delimiter as well even inside the string. Quoting rules are different inside a batch file in some cases (e.g., %i vs %%i in a for statement). You might just try putting a space before the initial |. Or you could switch to PowerShell or cscript.

0 Karma

logicasrl
Explorer

The preceding code still does not work.

The strange thing is that the following works correctly (from within a .bat file):

* splunk.exe search ""host="vmw03n" source="WinEventLog:Security" sourcetype="WinEventLog:Security" earliest_time="-24h""" -format csv -auth admin:password > C:\temp\splunklocalhost.csv

I will proceed with new tests tomorrow.

Luca

0 Karma

logicasrl
Explorer

Thank you for the hint.
See others trials below...

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

do you literally have that exact string in your .bat file, or are you using parameter or environment variables anywhere? The correct syntax is to use doubled double-quotes (i.e., your second example). it would also be helpful if you gave the exact error message in each case. you might also try renaming your script to .cmd instead of .bat, as there is some possibility that it makes a difference in which command processor (cmd.exe vs command.com) gets invoked, though probably not in W2k8.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...