Splunk Search

Query doesn't work under CURL call (but is fine under user interface)

New Member

Hi; I have a query that ends as follows

| stats count(eval(HttpStatus LIKE "2__")) AS success 
count(eval(HttpStatus LIKE "5__")) AS fail 
count as total by host

And under the Splunk UI environment I get my results as desired.
But the issue I see is when I use the exact same query under the Splunk CLI/CURL call to the service, i get the following response

{'messages': [{'type': 'FATAL', 'text': "Error in 'stats' command: The eval expression for dynamic field 'eval(HttpStatus LIKE 2__)' is invalid. Error='The operator at '__' is invalid.'"}]}

I've tried different variations of encapsulating the "httpstatus" field but non of them were successful (tried escaping characters also)

Please advise in solving this issue
Much appreciated

  • Randy
0 Karma

New Member

Fixed by changing the encapsulate part of my function to not be lazy
search="' + search_query + '"
search=\'' + search_query + '\'

0 Karma


Hi h0riz0nhk,

this works just fine for me:

curl -k -u user:password https://hostname:8089/services/search/jobs/export --data-urlencode 'search=search index="_internal" | stats count(eval(sourcetype LIKE "splunk%")) AS st_splunk count AS total by host ' -d output_mode=csv

and the result is this:


the important thing here is to use --data-urlencode otherwise it will fail because of the ".

Hope this helps ...

cheers, MuS

New Member

Sadly the --data-urlencode didn't work for me, but finally found a solution

Essentially i had a query builder and had to encapsulate the search=\'' + search query +'\' correctly
(was being lazy with search="' + search query +'")

0 Karma


It might help to post the real query, because so far there are only snippets of it. Also it would be good to tell what did not work with the --data-urlencode.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!