Splunk Search

Why won't my dataset literals parse?

Bennette
Explorer

In the documentation on dataset literals there is an example query:

FROM
[
{ state: "Washington", abbreviation: "WA", population: 7535591 },
{ state: "California", abbreviation: "CA", population: 39557045 },
{ state: "Oregon", abbreviation: "OR", population: 4190714 }
]
WHERE population > 5000000 SELECT state

If I try to run this or any other query with a dataset literal I get an error:

Error in 'SearchParser': Missing a search command before '{'. Error at position '26' of search query 'search FROM [ { state: "Washington", a'.

Any idea why? Thanks.

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You're using Splunk Cloud Platform.  Use the manuals at https://docs.splunk.com/Documentation/SplunkCloud

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Bennette
Explorer

https://<redacted>.splunkcloud.com/en-US/app/....

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You're using Splunk Cloud Platform.  Use the manuals at https://docs.splunk.com/Documentation/SplunkCloud

---
If this reply helps you, Karma would be appreciated.

Bennette
Explorer

So based on the documentation you referenced, it sounds as though dataset literals are simply not supported in SC.  That's too bad, because it offered a nice solution to my root problem, which involves which item from a static list is missing in the response from a subsearch.  I'll pose that question in a separate posting.  Thanks, @richgalloway 

trevorreed
Explorer

Did you ever find a solution to your problem? I'm trying to do something very similar.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The from command must be preceded by a pipe (|) character even when it's the first command in the query.

The error doesn't say that because Splunk is trying to run what it thinks is a subsearch (the part within []) first.  A leading | will change that.

---
If this reply helps you, Karma would be appreciated.

Bennette
Explorer

I wish it were that simple - that's just the sort of thing I might have missed.  But in this case, even after adding the pipe, I still get the same error.  This is being run in splunkcloud rather than on-prem.  I'm new enough at this so as not to appreciate the difference, or even know if splunkcloud uses SPL or SPL2.  Could that explain this behavior?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Only the Dashboard Studio uses SPL2, so far, both on-prem and in Cloud.

Please cite the documentation where you found this text so we can put it in context.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for that.  I now understand the reference to SPL2.

Splunk is bad at naming products and services.  "Splunk Cloud Services" (SCS) is not the same as "Splunk Cloud Platform" (SC) and has different documentation.

Let's back up to the beginning.  What Splunk product are you using?  If it's a cloud service, what URL are you using (omit your company name from it)?

The error message reported leads me to believe you're trying to use SCS features in Splunk Cloud.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...