https://community.splunk.com/t5/Splunk-Search/Search-Pipeline-Why-does-documentation-say-to-use-a-pipe/m-p/216491#M63531 <P>Where did you see that in the documentation? We should clean that up and clarify it.</P> <P>Quoting from <A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Aboutsearchlanguagesyntax#About_the_search_pipeline">About the search pipeline</A> in the <EM>Search Manual</EM>:</P> <P>The "search pipeline" refers to the structure of a Splunk search, in which consecutive commands are chained together using a pipe character, "|". The pipe character tells Splunk software to use the output or result of one command (to the left of the pipe) as the input for the next command (to the right of the pipe). This enables you to refine or enhance the data at each step along the pipeline until you get the results that you want.</P> <P>So in your search, <CODE>index=main</CODE> retrieves a number of events, the <CODE>top limit=20 actual_max_temp</CODE> acts on those events, to show you the 20 most common events that have the <CODE>actual_max_temp</CODE> field.</P> <P>Looking at it in a very narrow technical sense, <CODE>index=main</CODE> is the first command in your search, and <CODE>top</CODE> is the second.</P> <P>But I still agree that we should clarify this in the documentation.</P> Wed, 22 Jun 2016 17:13:11 GMT ChrisG 2016-06-22T17:13:11Z https://community.splunk.com/t5/Splunk-Search/Search-Pipeline-Why-does-documentation-say-to-use-a-pipe/m-p/216490#M63530 <P>The Splunk documentation says that we use pipe character when we need to club two or more commands, but in some cases, often if we use only one command, we need a <CODE>|</CODE>.</P> <P>For example: <CODE>index="main" |top limit=20 actual_max_temp</CODE> There is only one command <CODE>top</CODE>. Why do I have to use a pipe character in my search?</P> <P>Without a pipe, it gives errors.</P> Wed, 22 Jun 2016 13:03:39 GMT https://community.splunk.com/t5/Splunk-Search/Search-Pipeline-Why-does-documentation-say-to-use-a-pipe/m-p/216490#M63530 tankhanandita 2016-06-22T13:03:39Z https://community.splunk.com/t5/Splunk-Search/Search-Pipeline-Why-does-documentation-say-to-use-a-pipe/m-p/216491#M63531 <P>Where did you see that in the documentation? We should clean that up and clarify it.</P> <P>Quoting from <A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Aboutsearchlanguagesyntax#About_the_search_pipeline">About the search pipeline</A> in the <EM>Search Manual</EM>:</P> <P>The "search pipeline" refers to the structure of a Splunk search, in which consecutive commands are chained together using a pipe character, "|". The pipe character tells Splunk software to use the output or result of one command (to the left of the pipe) as the input for the next command (to the right of the pipe). This enables you to refine or enhance the data at each step along the pipeline until you get the results that you want.</P> <P>So in your search, <CODE>index=main</CODE> retrieves a number of events, the <CODE>top limit=20 actual_max_temp</CODE> acts on those events, to show you the 20 most common events that have the <CODE>actual_max_temp</CODE> field.</P> <P>Looking at it in a very narrow technical sense, <CODE>index=main</CODE> is the first command in your search, and <CODE>top</CODE> is the second.</P> <P>But I still agree that we should clarify this in the documentation.</P> Wed, 22 Jun 2016 17:13:11 GMT https://community.splunk.com/t5/Splunk-Search/Search-Pipeline-Why-does-documentation-say-to-use-a-pipe/m-p/216491#M63531 ChrisG 2016-06-22T17:13:11Z https://community.splunk.com/t5/Splunk-Search/Search-Pipeline-Why-does-documentation-say-to-use-a-pipe/m-p/216492#M63532 <P>If this is so then if I use the command index="main" airport="ans" then also I should use a pipeline bcoz index is the first command and airport is the second command.</P> <P>But it doesn't seem to work that way.IT doesn't gives an error without a pipeline.</P> Thu, 23 Jun 2016 00:17:22 GMT https://community.splunk.com/t5/Splunk-Search/Search-Pipeline-Why-does-documentation-say-to-use-a-pipe/m-p/216492#M63532 tankhanandita 2016-06-23T00:17:22Z https://community.splunk.com/t5/Splunk-Search/Search-Pipeline-Why-does-documentation-say-to-use-a-pipe/m-p/216493#M63533 <P>If this is the case then if i write the command index=""main" airport="AUS" without a pipeline it doesn't gives an error. It works automatically fine in this case. <BR /> Why so?</P> Thu, 23 Jun 2016 00:20:33 GMT https://community.splunk.com/t5/Splunk-Search/Search-Pipeline-Why-does-documentation-say-to-use-a-pipe/m-p/216493#M63533 tankhanandita 2016-06-23T00:20:33Z https://community.splunk.com/t5/Splunk-Search/Search-Pipeline-Why-does-documentation-say-to-use-a-pipe/m-p/216494#M63534 <P>You should think of the '|' as an operation delimiter. YOu have your base search :</P> <PRE><CODE>index=main airport="aus" </CODE></PRE> <P>This returns events in the index named main, with the key value pair airport that has the value "AUS". And nothing else.</P> <P>Now if you wanted to perform an operation on these search results, you need to '|' them to another function. Such as top.</P> <PRE><CODE> index=main | top limit=10 airport </CODE></PRE> <P>That will look in the index main, and return the top 10 values for the field airport. E.g. AUS=100, US=79, CHINA=40, etc.</P> <P>You should read through the Splunk documentation : <A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Aboutsearchlanguagesyntax">http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Aboutsearchlanguagesyntax</A></P> Thu, 23 Jun 2016 00:29:13 GMT https://community.splunk.com/t5/Splunk-Search/Search-Pipeline-Why-does-documentation-say-to-use-a-pipe/m-p/216494#M63534 esix_splunk 2016-06-23T00:29:13Z