Splunk Search

need to search keyword in specified sourcetype via CLI

New Member

Im not sure what i am doing wrong... I read the documentation and googled and cannot seem to figure it out.

Im using Splunk 4.1. If i want to search for specific keyword in specified sourcetype using the web interface, i type the following into the search bar:

keyword_abc sourcetype=sourcetype_123

This gives correct results - i see log entries from sourcetype_123 that mention keyword_abc.

Transforming this to a CLI via SSH, i have:

ssh username@sp.lu.nk.ser /opt/splunk/bin/splunk dispatch 'keyword_abc sourcetype=sourcetype_123' -output csv -auth user:pass

This gives me ALL matches of keyword_abc on all sourcetypes. If i switch the dispatch text around to

dispatch 'sourcetype=sourcetype_123 keyword_abc'

i get ALL (top 100) lines from sourcetype_123 which may or may not include keyword_abc.

I tried changing dispatch to search. I tried adding AND and + between source and keyword. I dont know what else to do to get specific keyword in specified sourcetype. Please help!

Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

You're struggling with ssh, not splunk.

Ssh manually, then test your command. It should work fine.

ssh passes its command off to the shell, which reparses it into tokens. which means that your single quotes, which got eaten at the ssh invocation time, are long gone. I'm not an expert on ssh escaping stuff, you might try \'keyword_abc ...\' but I'm not really sure. Maybe best practice for ssh is to quote the whole command if possible.

ssh username@sp.lu.nk.ser "/opt/splunk/bin/splunk dispatch 'keyword_abc sourcetype=sourcetype_123' -output csv -auth user:pass"

Obviously that breaks down if the command itself has quotation marks.

Anyway this is just a unix shell and ssh behavior thing. Check with resources in those arenas for best practices, if you have more complex cases to consider.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

You're struggling with ssh, not splunk.

Ssh manually, then test your command. It should work fine.

ssh passes its command off to the shell, which reparses it into tokens. which means that your single quotes, which got eaten at the ssh invocation time, are long gone. I'm not an expert on ssh escaping stuff, you might try \'keyword_abc ...\' but I'm not really sure. Maybe best practice for ssh is to quote the whole command if possible.

ssh username@sp.lu.nk.ser "/opt/splunk/bin/splunk dispatch 'keyword_abc sourcetype=sourcetype_123' -output csv -auth user:pass"

Obviously that breaks down if the command itself has quotation marks.

Anyway this is just a unix shell and ssh behavior thing. Check with resources in those arenas for best practices, if you have more complex cases to consider.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Depending upon your goals and level of desired integration with splunk, you might want to consider talking to splunk directly over HTTP at some point via REST at some point. A lot more work, a lot more power.

0 Karma

New Member

Omg, THANK YOU! Putting quotation marks around the whole ssh command gave me the desired results. This will be transformed into a Perl script, so im not worried about accidental additional quotation marks. This is exactly what i needed for a solution!

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!