- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk CLI Incompatibility with "Table" Search Com...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello and thanks in advance for reading this question.
I'm currently trying to generate a simple report of unique hostnames via command-line. So I have a Saved Search that essentially does this:
index=* | dedup host | table host
Let's say I set that for the last 24 hours. When I run it via Splunk Web, I get 600+ results. Now I want to be able to call this Saved Search via command-line and generate this report on the fly. So I use the Splunk CLI and I execute:
./splunk rtsearch '| savedsearch "MySavedSearch"
When I execute this, the results start trickling in... but after 19 results, it stops. The command doesn't return, it just... hangs. However, if I remove the "| table host" portion from my saved search, running the above command-line via Splunk CLI will start returning me a lot more than 19 results.
So my question is, is there a way to make this work properly? I want to output all of my results into a text file. Is there just a compatibility error with Splunk CLI and the "table" command?
Thanks!
- James
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I could not replicate the issue with only a few numbers (i.e. 19 results) - when I run the command, I get the same results as in the Splunk Web GUI.
You could try adding the -maxout paramter with 0 as it's argument.
Taken from splunk help rtsearch:
maxout number the maximum number of events to return or send to stdout (when exporting events). The max allowable value is 10k. Defaults to 0, which means it will output an unlimited number of events.
You might also want to investigate the -timeout parameter:
timeout number the length of time in seconds that a search job is allowed to live after running. Defaults to 0, which means the job is cancelled immediately after it is run.
Finally, you might also want to read up on what the manual is saying about real-time searched from the CLI - see http://docs.splunk.com/Documentation/Splunk/4.2.5/User/Realtimesearch#Real-time_searches_and_reports...
Hope this will get you closer to what you are trying to achieve with using rtsearch from the command line.
\Ruben
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, it is better if you structure the search as
index=* | stats count by host | fields - count
or even better, if you really care about 'host' in particular, you can get the information via metadata
| metadata type=hosts | fields hosts
For your actual search, if you don't have -preview turned on, the CLI will not produce a result for this search because of the 'table' command, which generally requires all input before it can emit any non-preview output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interestingly, it seems to have to do with the "preview" parameter. It just continually kept spouting out the same preview so it never looked like anything was happening. "preview", which defaults to true, seems to just display a preview of the results to the height of your current terminal window.
However, the really interesting part is that when I pass in "-preview false", then I actually never get any results to show up anywhere. I've run the same saved search in Splunk Web and have even squished the time frame down to just 10 minutes. In Splunk Web, it finishes very quickly. When I run the command line, it never returns at all, and no results are ever displayed.
Maybe I have an improper understanding of the CLI. Anyhow have any idea what I might be doing wrong?
- James
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I could not replicate the issue with only a few numbers (i.e. 19 results) - when I run the command, I get the same results as in the Splunk Web GUI.
You could try adding the -maxout paramter with 0 as it's argument.
Taken from splunk help rtsearch:
maxout number the maximum number of events to return or send to stdout (when exporting events). The max allowable value is 10k. Defaults to 0, which means it will output an unlimited number of events.
You might also want to investigate the -timeout parameter:
timeout number the length of time in seconds that a search job is allowed to live after running. Defaults to 0, which means the job is cancelled immediately after it is run.
Finally, you might also want to read up on what the manual is saying about real-time searched from the CLI - see http://docs.splunk.com/Documentation/Splunk/4.2.5/User/Realtimesearch#Real-time_searches_and_reports...
Hope this will get you closer to what you are trying to achieve with using rtsearch from the command line.
\Ruben
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, Ruben. The problem was definitely the use of Real Time searches as opposed to just a regular search. I'm now able to get everything to work the way I expected. Also, I found some errors in my saved search with the timeframe I was searching, which also contributed to some issues I was running into.
Thanks very much!
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
