Splunk Enterprise

Need help with Query using AND/OR and NOT IN Operators

zqureshi
New Member

Hello All, I am trying to run a search query via API's and getting errors. I am trying to utilize AND/OR and NOT IN operators. The query is getting results from Splunk UI but it is not working via API Calls.

QUERY:
index=node message=abc appId="xyz" items.x_id != "" OR items.data.ed_id!=“”

API CALL:
curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId="xyz" items.x_id != "" OR items.data.ed_id!=“” earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml

I have tried multiple combinations with quotes and no quotes but was not able to figure out. Your help and guidance would be greatly appreciated.

Labels (1)
Tags (1)
0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

Mask double quotes with backslash in data.

curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId=\"xyz\" items.x_id != \"\" OR items.data.ed_id!=\"\" earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml

And also check test1.xml. Error messages will be written there.

View solution in original post

0 Karma

woodcock
Esteemed Legend

never mix AND (implied) and OR without using parentheses ().

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Mask double quotes with backslash in data.

curl -k -u username:password https://host:8089/servicesNS/admin/search/search/jobs/export --data-urlencode search="search index=node message=abc appId=\"xyz\" items.x_id != \"\" OR items.data.ed_id!=\"\" earliest=01/27/2020:0:0:0 latest=01/28/2020:0:0:0" -d output_mode=xml -o test1.xml

And also check test1.xml. Error messages will be written there.

0 Karma

zqureshi
New Member

Thank you, I am still getting no results with the API Call. The bottom part of the message has the output. I played with the syntax and found out the following syntax is the culprit.

items.data.fed_id != \"\" OR items.institution_id != \"\"

Do I have to list items in a different format?

OUTPUT:
Configuration initialization for D:\Splunk\etc took 32ms when dispatching a search (search ID: 1585678811.20528)
base lispy: [ AND counter index::node jw logger report static ui ]
search context: user="jw_search", app="search", bs-pathname="D:\Splunk\etc"
Your timerange was substituted based on your search string
Eventtype 'wineventlog_application' does not exist or is disabled.
Eventtype 'wineventlog_security' does not exist or is disabled.
Eventtype 'wineventlog_system' does not exist or is disabled.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...