Splunk Search

Problem with "search" from Windows batch file

Explorer

Hi all,

I've got a problem with the execution of this command from a Windows ".bat" script:

  • splunk.exe search "| savedsearch test01" -app windows -format csv -auth admin:password > C:\temp\splunklocalhost.csv

The command works perfectly from a command prompt (I'm on a Windows Server 2008 Standard).

Tried also:

  • splunk.exe search """| savedsearch test01""" -app windows -format csv -auth admin:password > C:\temp\splunklocalhost.csv

and:

  • splunk.exe search \"| savedsearch test01\" -app windows -format csv -auth admin:password > C:\temp\splunklocalhost.csv

with no luck.

The suspect is that there is something wrong with the double quotes and that the parameters are not passed correctly (by the Windows command interpreter) to "splunk.exe".

Any ideas?

Thank you very much, Luca

Tags (4)
0 Karma

Splunk Employee
Splunk Employee

good, btw i am pulling this out as a "correct" answer, so when you get a chance please "accept" it so people will know it's solved.

0 Karma

Splunk Employee
Splunk Employee

The following pulled from comments:

you might also try renaming your script to .cmd instead of .bat, as there is some possibility that it makes a difference in which command processor (cmd.exe vs command.com) gets invoked - gkanapathy May 18 at 11:33

SOLVED 🙂 The solution is to use ".cmd" and NOT ".bat" (at least in Win2008). With a ".cmd" script, there is NO NEED of doubling the double quotes and everything goes smooth. Thank you very much for the hint, gkanapathy 😉 Luca - logicasrl May 19 at 12:34

Splunk Employee
Splunk Employee

I do have to say, I would have thought that the difference would be gone by Windows 2008. Apparently backwards compatibility is that important to Microsoft.

0 Karma

Explorer

SOLVED 🙂
The solution is to use ".cmd" and NOT ".bat" (at least in Win2008).
With a ".cmd" script, there is NO NEED of doubling the double quotes and everything goes smooth.
Thank you very much for the hint, gkanapathy 😉
Luca

0 Karma

Splunk Employee
Splunk Employee

I suspect it's because Windows considers the | vertical bar to be some kind of delimiter as well even inside the string. Quoting rules are different inside a batch file in some cases (e.g., %i vs %%i in a for statement). You might just try putting a space before the initial |. Or you could switch to PowerShell or cscript.

0 Karma

Explorer

The preceding code still does not work.

The strange thing is that the following works correctly (from within a .bat file):

* splunk.exe search ""host="vmw03n" source="WinEventLog:Security" sourcetype="WinEventLog:Security" earliest_time="-24h""" -format csv -auth admin:password > C:\temp\splunklocalhost.csv

I will proceed with new tests tomorrow.

Luca

0 Karma

Explorer

Thank you for the hint.
See others trials below...

0 Karma

Splunk Employee
Splunk Employee

do you literally have that exact string in your .bat file, or are you using parameter or environment variables anywhere? The correct syntax is to use doubled double-quotes (i.e., your second example). it would also be helpful if you gave the exact error message in each case. you might also try renaming your script to .cmd instead of .bat, as there is some possibility that it makes a difference in which command processor (cmd.exe vs command.com) gets invoked, though probably not in W2k8.

0 Karma