- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to "pipe" output to another search command fro...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to execute some queries from the Command Line on a Windows Splunk server. As long as I don't use the "pipe" symbol to perform additional filters, the results come back fine. If I tried to "pipe" the results to the "head" command, for example, in the following query:
E:\Apps\Splunk\bin>splunk search 'sourcetype=syslog | head 5 | table host index _time'
Windows would return the following error:
'head' is not recognized as an internal or external command, operable program or batch file.
This error occurs for all command I want to pipe the results to, not just the "head" command. The same command line query works perfectly in the Linux version of Splunk.
The CLI examples given in the documenataion and from the "splunk help search" command does not reference piping results to additional commands. Does anyone know the proper way to format a CLI query with pipes in the Windows version of Splunk?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I feel like cheating by answering my own question, but the proper way to format a CLI query in Windows Splunk is to wrap the query in double-quotes.
So instead of:
E:\Apps\Splunk\bin>splunk search 'sourcetype=syslog | head 5 | table host index _time'
It should be:
E:\Apps\Splunk\bin>splunk search "sourcetype=syslog | head 5 | table host index _time"
In Linux its still single quotes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I feel like cheating by answering my own question, but the proper way to format a CLI query in Windows Splunk is to wrap the query in double-quotes.
So instead of:
E:\Apps\Splunk\bin>splunk search 'sourcetype=syslog | head 5 | table host index _time'
It should be:
E:\Apps\Splunk\bin>splunk search "sourcetype=syslog | head 5 | table host index _time"
In Linux its still single quotes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is old, but I thought I'd add that in Powershell, you still use the single quote, not double.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BTW, It's perfectly acceptable to answer your own question, but you may have to wait a few days before you can "accept" your own answer. Which you should do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just wanted to point out that the question is less to do with Linux vs Windows, and more to do with BASH (or whatever shell you're using) vs the windows shell (cmd.exe). For example, on Linux you could to use a different shell and it could behave differently; but I would expect that most shell should work fine with single quotes or double quotes. On Windows you have less choices out of the box, but you can install and use bash (with cygwin, or something similar) if you wanted to.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
