Hi there. I'm running some saved searches using splunk CLI, and some of them work fine, but one (obviously the one I need to run) give me this:
Error result had no _raw key
This is the command I use: splunk search "|savedsearch \"My Saved Search\""
The saved search is supposed to return a table, not the raw results. I haven't found any description for that exception message
This means that the CLI thought that it should render raw results but was not given any. If you can share your search, I might be able to give some insight as to why (or file a bug). A quick workaround is to add "-output table" to your argument list.
Thanks! This case helped me understand that
-output rawdata
is based on the contents of the _raw field and that any field filtering is ignored.
For example:
splunk search 'index=anIndex some=criteria | fields + foo, bar' -output rawdata
gives all fields and is not limited to foo and bar, which is my goal.
Removing the special fields starting with underscore:
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output rawdata
gives the error:
Error result had no _raw key
Ultimately I changed the query output to 'raw':
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output raw
and now I get only the fields foo and bar in my results!
Unfortunately the output format of 'raw' is different from 'rawdata' and thus I need to adjust my down stream processing but that's the next step.
This means that the CLI thought that it should render raw results but was not given any. If you can share your search, I might be able to give some insight as to why (or file a bug). A quick workaround is to add "-output table" to your argument list.
Great. "-output table" did the trick. My search use transaction to group events, and then show a table with the results, but the _raw data can contain grouped events with thousands of lines, I think that was the problem.
Have you tried running the same search from the GUI using the savedsearch
command there? Does that produce any further detail on the error?