Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- pipeline as first character in search query
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I would like to ask what is the meaning of using pipeline as first character in search query. I saw some video tutorial that will use pipeline as first character and also correlation search in enterprise security.
Thanks all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on the kind of verb you use.
If there is no pipeline character first, then the implied verb is "search". Every other verb which is a "generating command" requires the pipeline character before the verb.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is the search query I extracted from Enterprise Security:
| tstats allow_old_summaries=true count as change_count from datamodel=Change_Analysis.All_Changes by All_Changes.user,All_Changes.change_type | drop_dm_object_name("All_Changes") | xswhere change_count from change_count_by_user_by_change_type_1d in change_analysis by change_type is above high
From my understanding, some data is search and then pipeline to "generating command". So, what is being passed as argument from the above search query ? I mean the pipeline being putting as the first character. Or it is just the correct syntax to use splunk ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This answer has a good explanation. I would add that a pipe must precede all search commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mason - The phrase "all search commands" is ambiguous and might mislead some readers... especially since the implicit search at the start of any search query is the main exception...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Docs and the Quick Reference Guide all say, "search commands", so I believe I am using proper nomenclature here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on the kind of verb you use.
If there is no pipeline character first, then the implied verb is "search". Every other verb which is a "generating command" requires the pipeline character before the verb.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
