Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why curl command for CSV output of top 20 error messages using regex returns error " -bash: syntax error near unexpected token `(' "?

shantu
Explorer
‎11-20-2014 10:51 AM

I'm trying to use the REST API to export an aggregation of the top 20 error messages in my log4j formatted logs. I want to do this through a search with Regex. Here is my curl command:

curl --get -s -u admin:pwd -k https:localhost:8088/servicesNS/admin/search/search/jobs/export -d output_mode=csv --data-urlencode search="search index=* sourcetype="log4j" | rex field=_raw ".*ERROR\\s+(?.*)\\n | top limit=20 ErrorMessage" -o aggregatedErrors.csv

This returns the error: -bash: syntax error near unexpected token `('

The search itself works fine in the Splunk search app, but curl seems to have an issue with the search string. Any idea why? Do I need to escape characters in the regex to use with curl? The reason I'm not just picking out a pre-saved field extraction is because the field extraction shows up fine in the extractor but gives me the entire stack trace when aggregating the errors. Therefore I end up with 100+ unique values instead of 10 or 12. The regex search piped into "top limit=20..." works best.

Please help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎11-20-2014 11:18 AM

The reason why your command doesn't work is indeed because you're not escaping your query string and therefore it gets interpreted by the shell. The solution is simple: enclose your search string within single quotation marks.

curl --get -s -u admin:pwd -k https:localhost:8088/servicesNS/admin/search/search/jobs/export -d output_mode=csv --data-urlencode search='search index=* sourcetype="log4j" | rex field=_raw ".*ERROR\\s+(?.*)\\n | top limit=20 ErrorMessage' -o aggregatedErrors.csv

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎11-20-2014 11:18 AM

The reason why your command doesn't work is indeed because you're not escaping your query string and therefore it gets interpreted by the shell. The solution is simple: enclose your search string within single quotation marks.

curl --get -s -u admin:pwd -k https:localhost:8088/servicesNS/admin/search/search/jobs/export -d output_mode=csv --data-urlencode search='search index=* sourcetype="log4j" | rex field=_raw ".*ERROR\\s+(?.*)\\n | top limit=20 ErrorMessage' -o aggregatedErrors.csv
Reply
Solved! Jump to solution

shantu
Explorer
‎11-20-2014 12:00 PM

Awesome, that worked perfectly! Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...