Splunk Search

Why does Using "|" pipe cause 2nd line on search ? Search ends with unbalanced parentheses. Adding parentheses doesn't help.

brolarf
New Member

After adding pipe (|) , search looks like following :
1 (index=main sourcetype=access_combined_wcookie status=200 file=success.do
2 | top productld limit=5)

Search ends with unbalanced parentheses.

Each time entering "|" pipe causes a new line

0 Karma

bmcfar000
Engager

It's a preference, under settings -> spl editor -> Search auto-format

0 Karma

mayurr98
Super Champion

hey @brolarf
Learn SPL syntax using this doc
http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsearchlanguagesyntax

The query you are hitting index=main sourcetype=access_combined_wcookie status=200 file=success.do
it does not contain any productID
so you will not get any events with this search

index=main sourcetype=access_combined_wcookie status=200 file=success.do 
| top limit=5 productld

But you try this you will probably end up getting events

index=main sourcetype=access_combined_wcookie status=200 productId=* file=*
| top limit=5 productld

If you want to learn basic SPL. I mean how it works you should do this free course available on splunk
https://www.splunk.com/view/SP-CAAAPX9

let me know if this helps !

0 Karma

nryabykh
Path Finder

Hi, brolarf.

You must have parentheses balanced between pipes. No need to use parentheses at the beginning and at the end of query.

If you don't want each pipe to start a new line, you can easily disable this in "Account Settings": https://docs.splunk.com/Documentation/Splunk/7.0.1/Search/Parsingsearches#Auto-format_search_syntax

somesoni2
Revered Legend

I would suggest reading this Splunk documentation which describes how a SPL in Splunk is formatted.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/Aboutsearchlanguagesyntax

horsefez
Motivator

Hi brolarf,

you should not use parenthesis that go beyond a pipe.
You should not even have any "(" ")" in that search.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...