Splunk Search

Why does Using "|" pipe cause 2nd line on search ? Search ends with unbalanced parentheses. Adding parentheses doesn't help.

brolarf
New Member

After adding pipe (|) , search looks like following :
1 (index=main sourcetype=access_combined_wcookie status=200 file=success.do
2 | top productld limit=5)

Search ends with unbalanced parentheses.

Each time entering "|" pipe causes a new line

0 Karma

bmcfar000
Engager

It's a preference, under settings -> spl editor -> Search auto-format

0 Karma

mayurr98
Super Champion

hey @brolarf
Learn SPL syntax using this doc
http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsearchlanguagesyntax

The query you are hitting index=main sourcetype=access_combined_wcookie status=200 file=success.do
it does not contain any productID
so you will not get any events with this search

index=main sourcetype=access_combined_wcookie status=200 file=success.do 
| top limit=5 productld

But you try this you will probably end up getting events

index=main sourcetype=access_combined_wcookie status=200 productId=* file=*
| top limit=5 productld

If you want to learn basic SPL. I mean how it works you should do this free course available on splunk
https://www.splunk.com/view/SP-CAAAPX9

let me know if this helps !

0 Karma

nryabykh
Path Finder

Hi, brolarf.

You must have parentheses balanced between pipes. No need to use parentheses at the beginning and at the end of query.

If you don't want each pipe to start a new line, you can easily disable this in "Account Settings": https://docs.splunk.com/Documentation/Splunk/7.0.1/Search/Parsingsearches#Auto-format_search_syntax

somesoni2
SplunkTrust
SplunkTrust

I would suggest reading this Splunk documentation which describes how a SPL in Splunk is formatted.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/Aboutsearchlanguagesyntax

horsefez
SplunkTrust
SplunkTrust

Hi brolarf,

you should not use parenthesis that go beyond a pipe.
You should not even have any "(" ")" in that search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...