Splunk Search

Splunk CLI Incompatibility with "Table" Search Command?

jchensor
Communicator

Hello and thanks in advance for reading this question.

I'm currently trying to generate a simple report of unique hostnames via command-line. So I have a Saved Search that essentially does this:

index=* | dedup host | table host

Let's say I set that for the last 24 hours. When I run it via Splunk Web, I get 600+ results. Now I want to be able to call this Saved Search via command-line and generate this report on the fly. So I use the Splunk CLI and I execute:

./splunk rtsearch '| savedsearch "MySavedSearch"

When I execute this, the results start trickling in... but after 19 results, it stops. The command doesn't return, it just... hangs. However, if I remove the "| table host" portion from my saved search, running the above command-line via Splunk CLI will start returning me a lot more than 19 results.

So my question is, is there a way to make this work properly? I want to output all of my results into a text file. Is there just a compatibility error with Splunk CLI and the "table" command?

Thanks!

  • James
Tags (3)
0 Karma
1 Solution

RubenOlsen
Path Finder

I could not replicate the issue with only a few numbers (i.e. 19 results) - when I run the command, I get the same results as in the Splunk Web GUI.

You could try adding the -maxout paramter with 0 as it's argument.

Taken from splunk help rtsearch:

maxout       number      the maximum number of events to return or send to
                         stdout (when exporting events). The max allowable
                         value is 10k. Defaults to 0, which means it will
                         output an unlimited number of events.

You might also want to investigate the -timeout parameter:

timeout      number      the length of time in seconds that a search job
                         is allowed to live after running. Defaults to 0,
                         which means the job is cancelled immediately after
                         it is run.

Finally, you might also want to read up on what the manual is saying about real-time searched from the CLI - see http://docs.splunk.com/Documentation/Splunk/4.2.5/User/Realtimesearch#Real-time_searches_and_reports...

Hope this will get you closer to what you are trying to achieve with using rtsearch from the command line.

\Ruben

View solution in original post

steveyz
Splunk Employee
Splunk Employee

First, it is better if you structure the search as

index=* | stats count by host | fields - count

or even better, if you really care about 'host' in particular, you can get the information via metadata

| metadata type=hosts | fields hosts

For your actual search, if you don't have -preview turned on, the CLI will not produce a result for this search because of the 'table' command, which generally requires all input before it can emit any non-preview output.

0 Karma

jchensor
Communicator

Interestingly, it seems to have to do with the "preview" parameter. It just continually kept spouting out the same preview so it never looked like anything was happening. "preview", which defaults to true, seems to just display a preview of the results to the height of your current terminal window.

However, the really interesting part is that when I pass in "-preview false", then I actually never get any results to show up anywhere. I've run the same saved search in Splunk Web and have even squished the time frame down to just 10 minutes. In Splunk Web, it finishes very quickly. When I run the command line, it never returns at all, and no results are ever displayed.

Maybe I have an improper understanding of the CLI. Anyhow have any idea what I might be doing wrong?

  • James
0 Karma

RubenOlsen
Path Finder

I could not replicate the issue with only a few numbers (i.e. 19 results) - when I run the command, I get the same results as in the Splunk Web GUI.

You could try adding the -maxout paramter with 0 as it's argument.

Taken from splunk help rtsearch:

maxout       number      the maximum number of events to return or send to
                         stdout (when exporting events). The max allowable
                         value is 10k. Defaults to 0, which means it will
                         output an unlimited number of events.

You might also want to investigate the -timeout parameter:

timeout      number      the length of time in seconds that a search job
                         is allowed to live after running. Defaults to 0,
                         which means the job is cancelled immediately after
                         it is run.

Finally, you might also want to read up on what the manual is saying about real-time searched from the CLI - see http://docs.splunk.com/Documentation/Splunk/4.2.5/User/Realtimesearch#Real-time_searches_and_reports...

Hope this will get you closer to what you are trying to achieve with using rtsearch from the command line.

\Ruben

jchensor
Communicator

Thanks, Ruben. The problem was definitely the use of Real Time searches as opposed to just a regular search. I'm now able to get everything to work the way I expected. Also, I found some errors in my saved search with the timeframe I was searching, which also contributed to some issues I was running into.

Thanks very much!

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...