Search works correctly in Splunk Web:
index=xxxx | rex field=_raw "InvalidLogin\|NotFound\|(?<client>\w+)" | stats count by client
But using it in an API call returns nothing:
curl -u user:'password' -k https://localhost:8089/services/search/jobs/export -d search='search index=xxxx | rex field=_raw "InvalidLogin\|NotFound\|(?<client>\w+)" | stats count by client' -d output_mode=csv -d earliest_time="-1d" -d latest_time="-1m"
I can get other searches to execute correctly via API calls, and even other versions of this search that return multiple other fields. But if I ask it to return field "client" also, it always renders nothing for output.
Have you tried specifying your search with --data-urlencode
instead of -d
(which doensn't URL encode). Your search contains a +
, which I believe represents a space
unless URL encoded.
Have you tried specifying your search with --data-urlencode
instead of -d
(which doensn't URL encode). Your search contains a +
, which I believe represents a space
unless URL encoded.
That did it. Thanks!
Are there really asterisks in that regex around the word "client" in the two searches?
If asterisk-client-asterisk is a valid name, it needs to be used in the "by" clause as well as the rex.
Corrected the above queries. They now show correctly.
Were you able to figure this out? I'm having the same issue. rex
doesn't seem to generate new fields when used in the API
No was never able to get it to work. We ended up having to write a perl script to parse the output instead.
I actually was able to make it work.
For some reason, the rex
expression that I was using in the UI didn't work. But when I rewrote to be based off of _raw
rather than another field, that did the trick. You have to write a more complex expression, but for me, it wasn't terrible.
No, there are no asterisks. It is actually like this: (?<client>\w+)
When I was putting the question in, the preview window showed only (?\w+). So adding asterisks made it print in italics, but at least show correctly. Didn't know that once the question got approved and posted it would literally add the asterisks in.