Splunk Search

Why won't my dataset literals parse?

Bennette
Explorer

In the documentation on dataset literals there is an example query:

FROM
[
{ state: "Washington", abbreviation: "WA", population: 7535591 },
{ state: "California", abbreviation: "CA", population: 39557045 },
{ state: "Oregon", abbreviation: "OR", population: 4190714 }
]
WHERE population > 5000000 SELECT state

If I try to run this or any other query with a dataset literal I get an error:

Error in 'SearchParser': Missing a search command before '{'. Error at position '26' of search query 'search FROM [ { state: "Washington", a'.

Any idea why? Thanks.

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You're using Splunk Cloud Platform.  Use the manuals at https://docs.splunk.com/Documentation/SplunkCloud

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Bennette
Explorer

https://<redacted>.splunkcloud.com/en-US/app/....

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You're using Splunk Cloud Platform.  Use the manuals at https://docs.splunk.com/Documentation/SplunkCloud

---
If this reply helps you, Karma would be appreciated.

Bennette
Explorer

So based on the documentation you referenced, it sounds as though dataset literals are simply not supported in SC.  That's too bad, because it offered a nice solution to my root problem, which involves which item from a static list is missing in the response from a subsearch.  I'll pose that question in a separate posting.  Thanks, @richgalloway 

richgalloway
SplunkTrust
SplunkTrust

The from command must be preceded by a pipe (|) character even when it's the first command in the query.

The error doesn't say that because Splunk is trying to run what it thinks is a subsearch (the part within []) first.  A leading | will change that.

---
If this reply helps you, Karma would be appreciated.

Bennette
Explorer

I wish it were that simple - that's just the sort of thing I might have missed.  But in this case, even after adding the pipe, I still get the same error.  This is being run in splunkcloud rather than on-prem.  I'm new enough at this so as not to appreciate the difference, or even know if splunkcloud uses SPL or SPL2.  Could that explain this behavior?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Only the Dashboard Studio uses SPL2, so far, both on-prem and in Cloud.

Please cite the documentation where you found this text so we can put it in context.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Thanks for that.  I now understand the reference to SPL2.

Splunk is bad at naming products and services.  "Splunk Cloud Services" (SCS) is not the same as "Splunk Cloud Platform" (SC) and has different documentation.

Let's back up to the beginning.  What Splunk product are you using?  If it's a cloud service, what URL are you using (omit your company name from it)?

The error message reported leads me to believe you're trying to use SCS features in Splunk Cloud.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...