Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why my CLI query returns empty field values

vkakani60
Path Finder
‎09-10-2016 11:16 AM

My query works from Splunk Web UI and returns field values of Source in a table form, but it doesn't work from the CLI.

Splunk web returns 

Source 
==========
stock
funds

Splunk CLI returns output EMPTY

Source
===========

Splunk CLI doesn't returns the field values with the table command. 

splunk search "index=apps sourcetype=weblogs | rex field=_raw \'Source:\s(?<Source>.*)\' | search Source | dedup Source | table Source"  user admin password changeme

I have tried with eval and fields command instead of table 

splunk search "index=apps sourcetype=weblogs | rex field=_raw \'Source:\s(?<Source>.*)\' | search Source | dedup Source | eval chicken=Source | fields chicken"  user admin password changeme

but still it output empty values

chicken
===========

But it works well in web search results

Is there any other way to display the field values from command interface ?

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-10-2016 02:27 PM

Trying to back-pedal from the example you gave from the CLI, I still think your issue is related to shell quoting. Going back to the updates I gave to your other question, https://answers.splunk.com/answers/449193/how-to-run-rex-commands-from-cli-mode.html#answer-450021 ... using set -x in the shell prompt helps you see better how shell expansion and quoting rules are affecting what is passed on to Splunk.

Given what you show above, your most likely to be successful CLI command is probably:

splunk search 'index=apps sourcetype=weblogs | rex field=_raw "Source:\s(?<Source>.*)" | search Source | dedup Source | table Source'

We wrap the whole SPL command in single quotes ' because that is the environment where the shell does the LEAST amount of interpretation and replacement. From the bash man page:

Enclosing characters in single quotes preserves the literal value ofeach character within the quotes. A single quote may not occur between single quotes, even when preceded by a backslash.

Reply

vkakani60
Path Finder
‎09-11-2016 06:08 PM

It doesn't help me in any way. Moreover, if I keep " double quote at REX it throws me an error, and \" doesn't work for REX anyway. And I am using windows machine cmd prompt, shell and bash don't apt to this scenario ?

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-12-2016 11:31 AM

It helps you plenty. If you are running a Splunk CLI search via the Windows CMD prompt, then you need to understand the quoting rules IT uses. It's the same thing, only different. When you're using a command line shell to run a command - regardless of what the command line shell is - you are subject to how IT interprets and quotes input before it passes it along to the child process it is starting on your behalf.

If you are not using CMD, but using PowerShell instead - it may have different quoting rules that you have to account for.

A quick google search of "windows command prompt quoting rules" brings these resources:

http://ss64.com/nt/syntax-esc.html

https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-lin...

http://stackoverflow.com/questions/7760545/escape-double-quotes-in-parameter

http://stackoverflow.com/questions/24173825/what-does-single-quote-do-in-windows-batch-files

Reply

jkat54
SplunkTrust
SplunkTrust
‎09-11-2016 07:07 PM

Oh well now you tell us 🙂
Are you doing this in a script?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-10-2016 03:04 PM

The more I think about it the more I agree with you! Seems like last time I did this I made the same mistake and swapped quotes around to fix it.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-10-2016 01:09 PM

Maybe Your search should start with the search command?

splunk search "search ..."

Also you might want some time modifiers.

See this reference http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/CLIsearchsyntax

0 Karma
Reply

vkakani60
Path Finder
‎09-11-2016 06:23 PM

splunk search "search .,. " is not valid command.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-10-2016 11:39 AM

What search exactly are you running successfully in the search bar? Sounds like a quoting issue in the shell.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎09-10-2016 01:05 PM

I'm thinking it has to do with the time picker. In web ui you probably have all time selected but it doesn't appear you're specifying a time in cli and I don't know what it defaults to.

0 Karma
Reply

vkakani60
Path Finder
‎09-11-2016 06:24 PM

I have tried with -index_earliest parameter. its display empty field value.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...