- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to pass eval statements with quotes through th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following search works just fine in the search bar in Splunk:
index=stuff earliest=-1d | eval newtime = strptime(datefield, "%b %d %Y %H:%M:%S") | eval checktime = relative_time(now(), "-2d") | where newtime > checktime
I'm trying to use the Python SDK to run a command line search so I can do some automation and external processing of these events, and so I have the following:
python search.py "search index=stuff earliest=-1d | eval newtime = strptime(datefield, "%b %d %Y %H:%M:%S") | eval checktime = relative_time(now(), "-2d") | where newtime > checktime"
But this command fails and gives me this error:
' "search index=stuff earliest=-1d | eval newtime = strptime(datefield, "%b' is not recognized as an internal or external command, operable program or batch file.
It seems this is because the script sees the " in the eval statement as the end of the parameter for the search.py script. I tried using \ to escape the ", but that yielded this error:
The filename, directory name or volume label syntax is incorrect.
I tried both using a $ and doubling the ", but neither of those worked either.
Is there a way I can pass through " on the command line to the search.py script or should I find a way to write a full python script?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I ended up doing two things. First, I wrote a full python script where that search worked. Second, I fixed the time parsing in the props.conf file which solved the time problem in the first place.
Thanks for all the suggestions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I ended up doing two things. First, I wrote a full python script where that search worked. Second, I fixed the time parsing in the props.conf file which solved the time problem in the first place.
Thanks for all the suggestions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try single-quotes in your eval statements instead of double-quotes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I've been trying this with mixed results.
python search.py "search index=stuff earliest=-1d | eval newtime = strptime(datefield, '%b %d %Y %H:%M:%S') | eval checktime = relative_time(now(), '-2d')
gives me a bunch of results. But if I try adding on the last eval statement:
python search.py "search index=stuff earliest=-1d | eval newtime = strptime(datefield, '%b %d %Y %H:%M:%S') | eval checktime = relative_time(now(), '-2d') | where newtime > checktime"
I get an empty file.
The corresponding searches work just fine via the search bar in Splunk.
Thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using this
python search.py "search index=stuff earliest=-1d | eval newtime = strptime(datefield, '%b %d %Y %H:%M:%S') | eval checktime = now()- 2*86400 | where newtime > checktime"
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
