Splunk Search

Search Pipeline: Why does documentation say to use a pipe character when we need to club two or more commands?

tankhanandita
Explorer

The Splunk documentation says that we use pipe character when we need to club two or more commands, but in some cases, often if we use only one command, we need a |.

For example: index="main" |top limit=20 actual_max_temp There is only one command top. Why do I have to use a pipe character in my search?

Without a pipe, it gives errors.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Where did you see that in the documentation? We should clean that up and clarify it.

Quoting from About the search pipeline in the Search Manual:

The "search pipeline" refers to the structure of a Splunk search, in which consecutive commands are chained together using a pipe character, "|". The pipe character tells Splunk software to use the output or result of one command (to the left of the pipe) as the input for the next command (to the right of the pipe). This enables you to refine or enhance the data at each step along the pipeline until you get the results that you want.

So in your search, index=main retrieves a number of events, the top limit=20 actual_max_temp acts on those events, to show you the 20 most common events that have the actual_max_temp field.

Looking at it in a very narrow technical sense, index=main is the first command in your search, and top is the second.

But I still agree that we should clarify this in the documentation.

tankhanandita
Explorer

If this is the case then if i write the command index=""main" airport="AUS" without a pipeline it doesn't gives an error. It works automatically fine in this case.
Why so?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You should think of the '|' as an operation delimiter. YOu have your base search :

index=main airport="aus"

This returns events in the index named main, with the key value pair airport that has the value "AUS". And nothing else.

Now if you wanted to perform an operation on these search results, you need to '|' them to another function. Such as top.

 index=main  | top limit=10 airport

That will look in the index main, and return the top 10 values for the field airport. E.g. AUS=100, US=79, CHINA=40, etc.

You should read through the Splunk documentation : http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Aboutsearchlanguagesyntax

tankhanandita
Explorer

If this is so then if I use the command index="main" airport="ans" then also I should use a pipeline bcoz index is the first command and airport is the second command.

But it doesn't seem to work that way.IT doesn't gives an error without a pipeline.

0 Karma
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...