Splunk Search

Why won't my dataset literals parse?

Bennette
Explorer

In the documentation on dataset literals there is an example query:

FROM
[
{ state: "Washington", abbreviation: "WA", population: 7535591 },
{ state: "California", abbreviation: "CA", population: 39557045 },
{ state: "Oregon", abbreviation: "OR", population: 4190714 }
]
WHERE population > 5000000 SELECT state

If I try to run this or any other query with a dataset literal I get an error:

Error in 'SearchParser': Missing a search command before '{'. Error at position '26' of search query 'search FROM [ { state: "Washington", a'.

Any idea why? Thanks.

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You're using Splunk Cloud Platform.  Use the manuals at https://docs.splunk.com/Documentation/SplunkCloud

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Bennette
Explorer

https://<redacted>.splunkcloud.com/en-US/app/....

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You're using Splunk Cloud Platform.  Use the manuals at https://docs.splunk.com/Documentation/SplunkCloud

---
If this reply helps you, Karma would be appreciated.

Bennette
Explorer

So based on the documentation you referenced, it sounds as though dataset literals are simply not supported in SC.  That's too bad, because it offered a nice solution to my root problem, which involves which item from a static list is missing in the response from a subsearch.  I'll pose that question in a separate posting.  Thanks, @richgalloway 

trevorreed
Explorer

Did you ever find a solution to your problem? I'm trying to do something very similar.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The from command must be preceded by a pipe (|) character even when it's the first command in the query.

The error doesn't say that because Splunk is trying to run what it thinks is a subsearch (the part within []) first.  A leading | will change that.

---
If this reply helps you, Karma would be appreciated.

Bennette
Explorer

I wish it were that simple - that's just the sort of thing I might have missed.  But in this case, even after adding the pipe, I still get the same error.  This is being run in splunkcloud rather than on-prem.  I'm new enough at this so as not to appreciate the difference, or even know if splunkcloud uses SPL or SPL2.  Could that explain this behavior?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Only the Dashboard Studio uses SPL2, so far, both on-prem and in Cloud.

Please cite the documentation where you found this text so we can put it in context.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for that.  I now understand the reference to SPL2.

Splunk is bad at naming products and services.  "Splunk Cloud Services" (SCS) is not the same as "Splunk Cloud Platform" (SC) and has different documentation.

Let's back up to the beginning.  What Splunk product are you using?  If it's a cloud service, what URL are you using (omit your company name from it)?

The error message reported leads me to believe you're trying to use SCS features in Splunk Cloud.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...