Splunk Search

When running a CLI search with a specific timerange, is there a way to prevent INFO line from appearing?

burras
Communicator

Attempting to build some monitoring whereby we run a Splunk search from the command line interface (CLI) over a given timerange and that returns a certain count and then uses that count to trigger off alarms. I'm able to successfully get it all set up and the search is running successfully - but every time it runs, in addition to the count, it also returns "INFO: Your timerange was substituted based on your search string." Here's an example of the search we're running:

./search 'index=sandbox EventType=Content_Failed earliest=-15m@m |stats count'

This returns the INFO line above and then the count of "0" when things are good. The problem is that the INFO line is being interpreted by our third party system as part of the output of the search and ends up triggering off false alarms.

Is there any way to prevent that INFO line from appearing when running a CLI search with a specified timerange?

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

Instead of putting "earliest=15m" in your search, use the cli search options found here:

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CLIsearchsyntax

Example:

  ./splunk search 'index=_internal' -earliest_time -15m@m

View solution in original post

jkat54
SplunkTrust
SplunkTrust

Instead of putting "earliest=15m" in your search, use the cli search options found here:

http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CLIsearchsyntax

Example:

  ./splunk search 'index=_internal' -earliest_time -15m@m

somesoni2
SplunkTrust
SplunkTrust

Completely forgot about this option. Good one!!!

0 Karma

burras
Communicator

Awesome - that fixed it. Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

There doesn't seem to be an option to suppress the search warning/info messages in CLI. One workaround could be to 1) create saved search/report with same search string (without in-line time range) and specify the time range in saved search Start Time and End Time, 2) Change permission to be app level, 3) replace alert search by this

./search ' | savedsearch yourSavedSearchName' -app TheAppContextForSavedSearch

burras
Communicator

This also would have worked but unfortunately wasn't an option in our environment...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...