Hello All, I am trying to run a search query via API's and getting errors. I am trying to utilize AND/OR and NOT IN operators. The query is getting results from Splunk UI but it is not working via API Calls.
QUERY:
index=node message=abc appId="xyz" items.x_id != "" OR items.data.ed_id!=“”
API CALL:
curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId="xyz" items.x_id != "" OR items.data.ed_id!=“” earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml
I have tried multiple combinations with quotes and no quotes but was not able to figure out. Your help and guidance would be greatly appreciated.
Mask double quotes with backslash in data.
curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId=\"xyz\" items.x_id != \"\" OR items.data.ed_id!=\"\" earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml
And also check test1.xml. Error messages will be written there.
never mix AND
(implied) and OR
without using parentheses ()
.
Mask double quotes with backslash in data.
curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId=\"xyz\" items.x_id != \"\" OR items.data.ed_id!=\"\" earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml
And also check test1.xml. Error messages will be written there.
Thank you, I am still getting no results with the API Call. The bottom part of the message has the output. I played with the syntax and found out the following syntax is the culprit.
items.data.fed_id != \"\" OR items.institution_id != \"\"
Do I have to list items in a different format?
OUTPUT:
Configuration initialization for D:\Splunk\etc took 32ms when dispatching a search (search ID: 1585678811.20528)
base lispy: [ AND counter index::node jw logger report static ui ]
search context: user="jw_search", app="search", bs-pathname="D:\Splunk\etc"
Your timerange was substituted based on your search string
Eventtype 'wineventlog_application' does not exist or is disabled.
Eventtype 'wineventlog_security' does not exist or is disabled.
Eventtype 'wineventlog_system' does not exist or is disabled.