Solved: Re: error piping commands

DTERM · ‎08-26-2011

I'm getting error an on piping one command into another. The result is a "Search operation 'earliest' is unknown. You might not have permission to run this operation."

Both commands work individually, not sure why I can't pipe the output of one into the other. I'd like to know why this fails if you don't find.

First Query

index=myapp lastOccurrence=* firstOccurrence=* | where lastOccurrence=firstOccurrence

Second Query

index=myapp earliest=-30d@d-14h | eval Shift=if(10<=date_hour and date_hour<22,"Shift1","Shift2") | timechart span=1d count by Shift

Combined Query

index=myapp lastOccurrence=* firstOccurrence=* | where lastOccurrence=firstOccurrence | earliest=-30d@d-14h | eval Shift=if(10<=date_hour and date_hour<22,"Shift1","Shift2") | timechart span=1d count by Shift

rroberts · ‎08-26-2011

earliest is not a command you can pipe to. It must be part of your base search.

View solution in original post

rroberts · ‎08-26-2011

earliest is not a command you can pipe to. It must be part of your base search.

melting · ‎08-31-2011

Perhaps you can accept the answer?

DTERM · ‎08-29-2011

Perfect. Thanks!!

error piping commands

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!