Solved: Splunk CLI remote search parse _raw into fields

harishbajaj · ‎10-02-2017

I am using a locally installed Splunk instance to perform a remote search using the CLI.

splunk search "index=sandbox sourcetype=access http_status_code<400 earliest="10/01/2017:00:00:00" latest="10/02/2017:00:00:00"" -output csv -maxout 0 -max_time 0 -auth user:password -app remote_app -uri https://hostname:port > output.csv

"access" is a sourcetype that is defined on the remote Splunk enterprise server. When I get the results, how can I parse the _raw field into the individual fields that have field extractions defined on the remote Splunk server.

darrenfuller · ‎10-02-2017

Try something like:

splunk search "index=sandbox sourcetype=access http_status_code<400 earliest="10/01/2017:00:00:00" latest="10/02/2017:00:00:00" | table _time, *, _raw" -output csv -maxout 0 -max_time 0 -auth user:password -app remote_app -uri https://hostname:port > output.csv

That way the remote Splunk sends you the timestamp, all the field date, plus the full _raw. Best of all words, and bonus: you don't need to use your local system resources to extract field data

View solution in original post

darrenfuller · ‎10-02-2017

Try something like:

splunk search "index=sandbox sourcetype=access http_status_code<400 earliest="10/01/2017:00:00:00" latest="10/02/2017:00:00:00" | table _time, *, _raw" -output csv -maxout 0 -max_time 0 -auth user:password -app remote_app -uri https://hostname:port > output.csv

That way the remote Splunk sends you the timestamp, all the field date, plus the full _raw. Best of all words, and bonus: you don't need to use your local system resources to extract field data

harishbajaj · ‎10-02-2017

Thank you! That worked beautifully; exactly what I was looking for!

Splunk CLI remote search parse _raw into fields

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!