Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk CLI Exception: Error result had no _raw key

hbazan
Path Finder
‎09-08-2010 06:47 PM

Hi there. I'm running some saved searches using splunk CLI, and some of them work fine, but one (obviously the one I need to run) give me this:

Error result had no _raw key

This is the command I use: splunk search "|savedsearch \"My Saved Search\""

The saved search is supposed to return a table, not the raw results. I haven't found any description for that exception message

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-09-2010 06:11 AM

This means that the CLI thought that it should render raw results but was not given any. If you can share your search, I might be able to give some insight as to why (or file a bug). A quick workaround is to add "-output table" to your argument list.

View solution in original post

Reply
Solved! Jump to solution

AppleMark
New Member
‎06-24-2016 11:32 AM

Thanks! This case helped me understand that
-output rawdata
is based on the contents of the _raw field and that any field filtering is ignored.

For example:
splunk search 'index=anIndex some=criteria | fields + foo, bar' -output rawdata
gives all fields and is not limited to foo and bar, which is my goal.

Removing the special fields starting with underscore:
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output rawdata
gives the error:
Error result had no _raw key

Ultimately I changed the query output to 'raw':
splunk search 'index=anIndex some=criteria | fields + foo, bar | fields - _*' -output raw
and now I get only the fields foo and bar in my results!

Unfortunately the output format of 'raw' is different from 'rawdata' and thus I need to adjust my down stream processing but that's the next step.

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎09-09-2010 06:11 AM

This means that the CLI thought that it should render raw results but was not given any. If you can share your search, I might be able to give some insight as to why (or file a bug). A quick workaround is to add "-output table" to your argument list.

Reply
Solved! Jump to solution

hbazan
Path Finder
‎09-09-2010 01:51 PM

Great. "-output table" did the trick. My search use transaction to group events, and then show a table with the results, but the _raw data can contain grouped events with thousands of lines, I think that was the problem.

0 Karma
Reply
Solved! Jump to solution

southeringtonp
Motivator
‎09-08-2010 11:25 PM

Have you tried running the same search from the GUI using the savedsearch command there? Does that produce any further detail on the error?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...