Splunk Search

When do you put a | (pipe) as the first character in a search

coleman07
Path Finder

I have noticed several search commands which are preceded by a pipe character with no input left of the pipe. For example:
|eventcount index=*

I looked at what would happen without the pipe and the results were all lines in the searched indexes with the word eventcount. How do you determine whether you must precede a search function with a pipe? Would you also explain what splunk is doing when it sees a pipe without input?

Thank you.

Tags (3)

verbal_666
Builder

Ok, this is "etically" perfect right, but i really need a field count = 0 for ALL next fields, this is the base from where i was starting to generate a next report from a previous Generating Report.

OK, the "concept" is different (Generating Commands or Trasforming Commands), but what i did with "stats" gave me what i need without reported errors.

With the " | stats count | eval l="a,b,c" | makemv delim="," l | mvexpand l " will give it without errors e no effort for system,
with the " | makeresults | fields - _time | eval count = 0 | eval data="a,b,c" | makemv delim="," data | mvexpand data ", i need one more added field ("eval count = 0"), and delete another one "fields - _time".

In my opinion, "|stats" is working fine and i keep on using it.

Thanks, anyway.

0 Karma

niketn
Legend

The command this question is looking for is called Generating Command.

While |stats count mimics a generating (report) command scenario as in presence of no events it gives count as 0 instead of no results found, it is actually a ** transforming command ** which is used to generate report (aggregate data).

makeresults or gentimes generating commands can be used instead! Several examples exist for this on Splunk Answers and in Splunk Documentation.

| makeresults 
| fields - _time
| eval data="a,b,c" 
| makemv delim="," data
| mvexpand data
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

verbal_666
Builder

Also "stats" can be a | command. Ex. "| stats count" will result in 0.

Very useful if you want a base matrix to run a next one search starting from a base "fake search" with needed existing fields.

Try

" | stats count | eval l="a,b,c" | makemv delim="," l | mvexpand l "

0 Karma

erhoward
New Member

"inputcsv" is another command where you could begin the command with a pipe.,"inputcsv" is another command where you would begin the command with a pipe.

0 Karma

lguinn2
Legend

Splunk expects the first tokens to be search terms or operators. BUT if the first token is the pipe |, Splunk knows that what follows is NOT a search command, and that it should not search the index(es) for the data.

Beginning a "search" with a pipe is only valid for a few commands (the ones that don't need to retrieve indexed data). Here are a few, I am sure there are others

  • inputlookup
  • eventcount
  • metadata
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...