In the documentation on dataset literals there is an example query:
FROM
[
{ state: "Washington", abbreviation: "WA", population: 7535591 },
{ state: "California", abbreviation: "CA", population: 39557045 },
{ state: "Oregon", abbreviation: "OR", population: 4190714 }
]
WHERE population > 5000000 SELECT state
If I try to run this or any other query with a dataset literal I get an error:
Error in 'SearchParser': Missing a search command before '{'. Error at position '26' of search query 'search FROM [ { state: "Washington", a'.
Any idea why? Thanks.
You're using Splunk Cloud Platform. Use the manuals at https://docs.splunk.com/Documentation/SplunkCloud
https://<redacted>.splunkcloud.com/en-US/app/....
You're using Splunk Cloud Platform. Use the manuals at https://docs.splunk.com/Documentation/SplunkCloud
So based on the documentation you referenced, it sounds as though dataset literals are simply not supported in SC. That's too bad, because it offered a nice solution to my root problem, which involves which item from a static list is missing in the response from a subsearch. I'll pose that question in a separate posting. Thanks, @richgalloway
Did you ever find a solution to your problem? I'm trying to do something very similar.
The from command must be preceded by a pipe (|) character even when it's the first command in the query.
The error doesn't say that because Splunk is trying to run what it thinks is a subsearch (the part within []) first. A leading | will change that.
I wish it were that simple - that's just the sort of thing I might have missed. But in this case, even after adding the pipe, I still get the same error. This is being run in splunkcloud rather than on-prem. I'm new enough at this so as not to appreciate the difference, or even know if splunkcloud uses SPL or SPL2. Could that explain this behavior?
Only the Dashboard Studio uses SPL2, so far, both on-prem and in Cloud.
Please cite the documentation where you found this text so we can put it in context.
Thanks for that. I now understand the reference to SPL2.
Splunk is bad at naming products and services. "Splunk Cloud Services" (SCS) is not the same as "Splunk Cloud Platform" (SC) and has different documentation.
Let's back up to the beginning. What Splunk product are you using? If it's a cloud service, what URL are you using (omit your company name from it)?
The error message reported leads me to believe you're trying to use SCS features in Splunk Cloud.