I am using a locally installed Splunk instance to perform a remote search using the CLI.
splunk search "index=sandbox sourcetype=access http_status_code<400 earliest="10/01/2017:00:00:00" latest="10/02/2017:00:00:00"" -output csv -maxout 0 -max_time 0 -auth user:password -app remote_app -uri https://hostname:port > output.csv
"access" is a sourcetype that is defined on the remote Splunk enterprise server. When I get the results, how can I parse the _raw field into the individual fields that have field extractions defined on the remote Splunk server.
Try something like:
splunk search "index=sandbox sourcetype=access http_status_code<400 earliest="10/01/2017:00:00:00" latest="10/02/2017:00:00:00" | table _time, *, _raw" -output csv -maxout 0 -max_time 0 -auth user:password -app remote_app -uri https://hostname:port > output.csv
That way the remote Splunk sends you the timestamp, all the field date, plus the full _raw. Best of all words, and bonus: you don't need to use your local system resources to extract field data
Try something like:
splunk search "index=sandbox sourcetype=access http_status_code<400 earliest="10/01/2017:00:00:00" latest="10/02/2017:00:00:00" | table _time, *, _raw" -output csv -maxout 0 -max_time 0 -auth user:password -app remote_app -uri https://hostname:port > output.csv
That way the remote Splunk sends you the timestamp, all the field date, plus the full _raw. Best of all words, and bonus: you don't need to use your local system resources to extract field data
Thank you! That worked beautifully; exactly what I was looking for!