Splunk Search

pipeline as first character in search query

kkkelvinkk
New Member

Hi all,

I would like to ask what is the meaning of using pipeline as first character in search query. I saw some video tutorial that will use pipeline as first character and also correlation search in enterprise security.
Thanks all.

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

It depends on the kind of verb you use.

If there is no pipeline character first, then the implied verb is "search". Every other verb which is a "generating command" requires the pipeline character before the verb.

http://docs.splunk.com/Splexicon:Generatingcommand

View solution in original post

0 Karma

kkkelvinkk
New Member

Below is the search query I extracted from Enterprise Security:

| tstats allow_old_summaries=true count as change_count from datamodel=Change_Analysis.All_Changes by All_Changes.user,All_Changes.change_type | drop_dm_object_name("All_Changes") | xswhere change_count from change_count_by_user_by_change_type_1d in change_analysis by change_type is above high

From my understanding, some data is search and then pipeline to "generating command". So, what is being passed as argument from the above search query ? I mean the pipeline being putting as the first character. Or it is just the correct syntax to use splunk ?

0 Karma

masonmorales
Influencer

This answer has a good explanation. I would add that a pipe must precede all search commands.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Mason - The phrase "all search commands" is ambiguous and might mislead some readers... especially since the implicit search at the start of any search query is the main exception...

0 Karma

masonmorales
Influencer

Splunk Docs and the Quick Reference Guide all say, "search commands", so I believe I am using proper nomenclature here.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

It depends on the kind of verb you use.

If there is no pipeline character first, then the implied verb is "search". Every other verb which is a "generating command" requires the pipeline character before the verb.

http://docs.splunk.com/Splexicon:Generatingcommand

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...