Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

piping in splunk

nowakdaw
Path Finder
‎09-18-2012 10:09 AM

Hello All,

Does anyone know how piping in splunk is performed. I tried to search for information on this subject but unfortunately I am unable to find anything on it. My question is: does it take the search results from the buffer and then searches on it when piping is done.

To clarify if I search for host="some_host" | source="testing_source" does splunk first search for some host and then from that buffer searches for the source testing_source on it. OR does it search for some_host and then when you pipe it searches again from the entire buffer?

The main purpose of this question is performance.

Thank you for all your help!

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎09-18-2012 10:20 AM

this article in the documentation provides an overview of how the search pipeline works:

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSearchCommandsWork

here is a relevant snippet:

"The "search pipeline" refers to the structure of a Splunk search, in which consecutive commands are chained together using a pipe character that tells Splunk to use the output or result of one command as the input for the next command."

your first interpretation is correct--the goal here is to filter down your results set as much as possible before performing calculations or other actions on the final set of results.

View solution in original post

Reply
Solved! Jump to solution

vdeshpandegrp
New Member
‎01-03-2018 09:51 PM

What if I don't want to pipe my results, i.e I want each eval to be performed on the entire buffer and not just the subset?

For example:
eval successful_transitions = case(searchmatch("CASE(ActiveSuccesses)"),"active",searchmatch("CASE(InactiveSuccesses)"),"inactive")
| stats count as successes by successful_transitions
| eval failed_transitions = case(searchmatch("[active-failure]"),"active",searchmatch("[inactive-failure]"),"inactive")
| stats count as failures by failed_transitions

Here I want to find, of all the events, How many events are active/inactive successful and how many are active/inactive failed??

Thanks

0 Karma
Reply
Solved! Jump to solution

nowakdaw
Path Finder
‎09-18-2012 11:27 AM

Yes! I apologize for my carelessness. Thank you for pointing that out.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎09-18-2012 11:21 AM

Note that your pipe example is syntactically incorrect - you need a command after the pipe. What you've done is added another search filter after the pipe. This filter should be part of the search command before the pipe instead.

Reply
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎09-18-2012 10:20 AM

this article in the documentation provides an overview of how the search pipeline works:

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSearchCommandsWork

here is a relevant snippet:

"The "search pipeline" refers to the structure of a Splunk search, in which consecutive commands are chained together using a pipe character that tells Splunk to use the output or result of one command as the input for the next command."

your first interpretation is correct--the goal here is to filter down your results set as much as possible before performing calculations or other actions on the final set of results.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎09-18-2012 10:25 AM

"|" This is a pipe

alt text

Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎12-05-2015 09:16 AM

Current doc link: http://docs.splunk.com/Documentation/Splunk/6.3.1/Search/Aboutsearchlanguagesyntax#About_the_search_...

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...