Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

piping in splunk

nowakdaw
Path Finder
‎09-18-2012 10:09 AM

Hello All,

Does anyone know how piping in splunk is performed. I tried to search for information on this subject but unfortunately I am unable to find anything on it. My question is: does it take the search results from the buffer and then searches on it when piping is done.

To clarify if I search for host="some_host" | source="testing_source" does splunk first search for some host and then from that buffer searches for the source testing_source on it. OR does it search for some_host and then when you pipe it searches again from the entire buffer?

The main purpose of this question is performance.

Thank you for all your help!

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎09-18-2012 10:20 AM

this article in the documentation provides an overview of how the search pipeline works:

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSearchCommandsWork

here is a relevant snippet:

"The "search pipeline" refers to the structure of a Splunk search, in which consecutive commands are chained together using a pipe character that tells Splunk to use the output or result of one command as the input for the next command."

your first interpretation is correct--the goal here is to filter down your results set as much as possible before performing calculations or other actions on the final set of results.

View solution in original post

Reply
Solved! Jump to solution

vdeshpandegrp
New Member
‎01-03-2018 09:51 PM

What if I don't want to pipe my results, i.e I want each eval to be performed on the entire buffer and not just the subset?

For example:
eval successful_transitions = case(searchmatch("CASE(ActiveSuccesses)"),"active",searchmatch("CASE(InactiveSuccesses)"),"inactive")
| stats count as successes by successful_transitions
| eval failed_transitions = case(searchmatch("[active-failure]"),"active",searchmatch("[inactive-failure]"),"inactive")
| stats count as failures by failed_transitions

Here I want to find, of all the events, How many events are active/inactive successful and how many are active/inactive failed??

Thanks

0 Karma
Reply
Solved! Jump to solution

nowakdaw
Path Finder
‎09-18-2012 11:27 AM

Yes! I apologize for my carelessness. Thank you for pointing that out.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎09-18-2012 11:21 AM

Note that your pipe example is syntactically incorrect - you need a command after the pipe. What you've done is added another search filter after the pipe. This filter should be part of the search command before the pipe instead.

Reply
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎09-18-2012 10:20 AM

this article in the documentation provides an overview of how the search pipeline works:

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSearchCommandsWork

here is a relevant snippet:

"The "search pipeline" refers to the structure of a Splunk search, in which consecutive commands are chained together using a pipe character that tells Splunk to use the output or result of one command as the input for the next command."

your first interpretation is correct--the goal here is to filter down your results set as much as possible before performing calculations or other actions on the final set of results.

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎09-18-2012 10:25 AM

"|" This is a pipe

alt text

Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎12-05-2015 09:16 AM

Current doc link: http://docs.splunk.com/Documentation/Splunk/6.3.1/Search/Aboutsearchlanguagesyntax#About_the_search_...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...