Hi all,
I would like to ask what is the meaning of using pipeline as first character in search query. I saw some video tutorial that will use pipeline as first character and also correlation search in enterprise security.
Thanks all.
It depends on the kind of verb you use.
If there is no pipeline character first, then the implied verb is "search". Every other verb which is a "generating command" requires the pipeline character before the verb.
Below is the search query I extracted from Enterprise Security:
| tstats allow_old_summaries=true count as change_count from datamodel=Change_Analysis.All_Changes by All_Changes.user,All_Changes.change_type | drop_dm_object_name("All_Changes")
| xswhere change_count from change_count_by_user_by_change_type_1d in change_analysis by change_type is above high
From my understanding, some data is search and then pipeline to "generating command". So, what is being passed as argument from the above search query ? I mean the pipeline being putting as the first character. Or it is just the correct syntax to use splunk ?
This answer has a good explanation. I would add that a pipe must precede all search commands.
Mason - The phrase "all search commands" is ambiguous and might mislead some readers... especially since the implicit search
at the start of any search query is the main exception...
Splunk Docs and the Quick Reference Guide all say, "search commands", so I believe I am using proper nomenclature here.
It depends on the kind of verb you use.
If there is no pipeline character first, then the implied verb is "search". Every other verb which is a "generating command" requires the pipeline character before the verb.