Splunk Search

Why won't my dataset literals parse?

Bennette
Explorer

In the documentation on dataset literals there is an example query:

FROM
[
{ state: "Washington", abbreviation: "WA", population: 7535591 },
{ state: "California", abbreviation: "CA", population: 39557045 },
{ state: "Oregon", abbreviation: "OR", population: 4190714 }
]
WHERE population > 5000000 SELECT state

If I try to run this or any other query with a dataset literal I get an error:

Error in 'SearchParser': Missing a search command before '{'. Error at position '26' of search query 'search FROM [ { state: "Washington", a'.

Any idea why? Thanks.

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You're using Splunk Cloud Platform.  Use the manuals at https://docs.splunk.com/Documentation/SplunkCloud

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Bennette
Explorer

https://<redacted>.splunkcloud.com/en-US/app/....

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You're using Splunk Cloud Platform.  Use the manuals at https://docs.splunk.com/Documentation/SplunkCloud

---
If this reply helps you, Karma would be appreciated.

Bennette
Explorer

So based on the documentation you referenced, it sounds as though dataset literals are simply not supported in SC.  That's too bad, because it offered a nice solution to my root problem, which involves which item from a static list is missing in the response from a subsearch.  I'll pose that question in a separate posting.  Thanks, @richgalloway 

trevorreed
Engager

Did you ever find a solution to your problem? I'm trying to do something very similar.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The from command must be preceded by a pipe (|) character even when it's the first command in the query.

The error doesn't say that because Splunk is trying to run what it thinks is a subsearch (the part within []) first.  A leading | will change that.

---
If this reply helps you, Karma would be appreciated.

Bennette
Explorer

I wish it were that simple - that's just the sort of thing I might have missed.  But in this case, even after adding the pipe, I still get the same error.  This is being run in splunkcloud rather than on-prem.  I'm new enough at this so as not to appreciate the difference, or even know if splunkcloud uses SPL or SPL2.  Could that explain this behavior?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Only the Dashboard Studio uses SPL2, so far, both on-prem and in Cloud.

Please cite the documentation where you found this text so we can put it in context.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for that.  I now understand the reference to SPL2.

Splunk is bad at naming products and services.  "Splunk Cloud Services" (SCS) is not the same as "Splunk Cloud Platform" (SC) and has different documentation.

Let's back up to the beginning.  What Splunk product are you using?  If it's a cloud service, what URL are you using (omit your company name from it)?

The error message reported leads me to believe you're trying to use SCS features in Splunk Cloud.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...