Splunk Search

Why does Using "|" pipe cause 2nd line on search ? Search ends with unbalanced parentheses. Adding parentheses doesn't help.

brolarf
New Member

After adding pipe (|) , search looks like following :
1 (index=main sourcetype=access_combined_wcookie status=200 file=success.do
2 | top productld limit=5)

Search ends with unbalanced parentheses.

Each time entering "|" pipe causes a new line

0 Karma

bmcfar000
Engager

It's a preference, under settings -> spl editor -> Search auto-format

0 Karma

mayurr98
Super Champion

hey @brolarf
Learn SPL syntax using this doc
http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsearchlanguagesyntax

The query you are hitting index=main sourcetype=access_combined_wcookie status=200 file=success.do
it does not contain any productID
so you will not get any events with this search

index=main sourcetype=access_combined_wcookie status=200 file=success.do 
| top limit=5 productld

But you try this you will probably end up getting events

index=main sourcetype=access_combined_wcookie status=200 productId=* file=*
| top limit=5 productld

If you want to learn basic SPL. I mean how it works you should do this free course available on splunk
https://www.splunk.com/view/SP-CAAAPX9

let me know if this helps !

0 Karma

nryabykh
Path Finder

Hi, brolarf.

You must have parentheses balanced between pipes. No need to use parentheses at the beginning and at the end of query.

If you don't want each pipe to start a new line, you can easily disable this in "Account Settings": https://docs.splunk.com/Documentation/Splunk/7.0.1/Search/Parsingsearches#Auto-format_search_syntax

somesoni2
Revered Legend

I would suggest reading this Splunk documentation which describes how a SPL in Splunk is formatted.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/Aboutsearchlanguagesyntax

horsefez
Motivator

Hi brolarf,

you should not use parenthesis that go beyond a pipe.
You should not even have any "(" ")" in that search.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...