Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search Pipeline: Why does documentation say to use a pipe character when we need to club two or more commands?

tankhanandita
Explorer
‎06-22-2016 06:03 AM

The Splunk documentation says that we use pipe character when we need to club two or more commands, but in some cases, often if we use only one command, we need a |.

For example: index="main" |top limit=20 actual_max_temp There is only one command top. Why do I have to use a pipe character in my search?

Without a pipe, it gives errors.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎06-22-2016 10:13 AM

Where did you see that in the documentation? We should clean that up and clarify it.

Quoting from About the search pipeline in the Search Manual:

The "search pipeline" refers to the structure of a Splunk search, in which consecutive commands are chained together using a pipe character, "|". The pipe character tells Splunk software to use the output or result of one command (to the left of the pipe) as the input for the next command (to the right of the pipe). This enables you to refine or enhance the data at each step along the pipeline until you get the results that you want.

So in your search, index=main retrieves a number of events, the top limit=20 actual_max_temp acts on those events, to show you the 20 most common events that have the actual_max_temp field.

Looking at it in a very narrow technical sense, index=main is the first command in your search, and top is the second.

But I still agree that we should clarify this in the documentation.

Reply

tankhanandita
Explorer
‎06-22-2016 05:20 PM

If this is the case then if i write the command index=""main" airport="AUS" without a pipeline it doesn't gives an error. It works automatically fine in this case.
Why so?

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎06-22-2016 05:29 PM

You should think of the '|' as an operation delimiter. YOu have your base search :

index=main airport="aus"

This returns events in the index named main, with the key value pair airport that has the value "AUS". And nothing else.

Now if you wanted to perform an operation on these search results, you need to '|' them to another function. Such as top.

 index=main  | top limit=10 airport

That will look in the index main, and return the top 10 values for the field airport. E.g. AUS=100, US=79, CHINA=40, etc.

You should read through the Splunk documentation : http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Aboutsearchlanguagesyntax

Reply

tankhanandita
Explorer
‎06-22-2016 05:17 PM

If this is so then if I use the command index="main" airport="ans" then also I should use a pipeline bcoz index is the first command and airport is the second command.

But it doesn't seem to work that way.IT doesn't gives an error without a pipeline.

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...