Splunk Enterprise

Need help with Query using AND/OR and NOT IN Operators

zqureshi
New Member

Hello All, I am trying to run a search query via API's and getting errors. I am trying to utilize AND/OR and NOT IN operators. The query is getting results from Splunk UI but it is not working via API Calls.

QUERY:
index=node message=abc appId="xyz" items.x_id != "" OR items.data.ed_id!=“”

API CALL:
curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId="xyz" items.x_id != "" OR items.data.ed_id!=“” earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml

I have tried multiple combinations with quotes and no quotes but was not able to figure out. Your help and guidance would be greatly appreciated.

Labels (1)
Tags (1)
0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

Mask double quotes with backslash in data.

curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId=\"xyz\" items.x_id != \"\" OR items.data.ed_id!=\"\" earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml

And also check test1.xml. Error messages will be written there.

View solution in original post

0 Karma

woodcock
Esteemed Legend

never mix AND (implied) and OR without using parentheses ().

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Mask double quotes with backslash in data.

curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId=\"xyz\" items.x_id != \"\" OR items.data.ed_id!=\"\" earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml

And also check test1.xml. Error messages will be written there.

0 Karma

zqureshi
New Member

Thank you, I am still getting no results with the API Call. The bottom part of the message has the output. I played with the syntax and found out the following syntax is the culprit.

items.data.fed_id != \"\" OR items.institution_id != \"\"

Do I have to list items in a different format?

OUTPUT:
Configuration initialization for D:\Splunk\etc took 32ms when dispatching a search (search ID: 1585678811.20528)
base lispy: [ AND counter index::node jw logger report static ui ]
search context: user="jw_search", app="search", bs-pathname="D:\Splunk\etc"
Your timerange was substituted based on your search string
Eventtype 'wineventlog_application' does not exist or is disabled.
Eventtype 'wineventlog_security' does not exist or is disabled.
Eventtype 'wineventlog_system' does not exist or is disabled.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...