Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Query doesn't work under CURL call (but is fine un...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query doesn't work under CURL call (but is fine under user interface)
h0riz0nhk
New Member
03-14-2018
03:30 PM
Hi; I have a query that ends as follows
| stats count(eval(HttpStatus LIKE "2__")) AS success
count(eval(HttpStatus LIKE "5__")) AS fail
count as total by host
And under the Splunk UI environment I get my results as desired.
But the issue I see is when I use the exact same query under the Splunk CLI/CURL call to the service, i get the following response
{'messages': [{'type': 'FATAL', 'text': "Error in 'stats' command: The eval expression for dynamic field 'eval(HttpStatus LIKE 2__)' is invalid. Error='The operator at '__' is invalid.'"}]}
I've tried different variations of encapsulating the "httpstatus" field but non of them were successful (tried escaping characters also)
Please advise in solving this issue
Much appreciated
- Randy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
h0riz0nhk
New Member
03-14-2018
05:01 PM
Fixed by changing the encapsulate part of my function to not be lazy
search="' + search_query + '"
to
search=\'' + search_query + '\'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
03-14-2018
04:00 PM
Hi h0riz0nhk,
this works just fine for me:
curl -k -u user:password https://hostname:8089/services/search/jobs/export --data-urlencode 'search=search index="_internal" | stats count(eval(sourcetype LIKE "splunk%")) AS st_splunk count AS total by host ' -d output_mode=csv
and the result is this:
host,"st_splunk",total
hostname,308212,310456
the important thing here is to use --data-urlencode otherwise it will fail because of the ".
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
h0riz0nhk
New Member
03-14-2018
04:59 PM
Sadly the --data-urlencode didn't work for me, but finally found a solution
Essentially i had a query builder and had to encapsulate the search=\'' + search query +'\' correctly
(was being lazy with search="' + search query +'")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
03-14-2018
05:23 PM
It might help to post the real query, because so far there are only snippets of it. Also it would be good to tell what did not work with the --data-urlencode.
Get Updates on the Splunk Community!
.conf25 Registration is OPEN!
Ready. Set. Splunk!
Your favorite Splunk user event is back and better than ever. Get ready for more technical ...
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
