hey @brolarf
Learn SPL syntax using this doc
http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsearchlanguagesyntax

The query you are hitting index=main sourcetype=access_combined_wcookie status=200 file=success.do
it does not contain any productID
so you will not get any events with this search

index=main sourcetype=access_combined_wcookie status=200 file=success.do 
| top limit=5 productld

But you try this you will probably end up getting events

index=main sourcetype=access_combined_wcookie status=200 productId=* file=*
| top limit=5 productld

If you want to learn basic SPL. I mean how it works you should do this free course available on splunk
https://www.splunk.com/view/SP-CAAAPX9

let me know if this helps !

Hi, brolarf.

You must have parentheses balanced between pipes. No need to use parentheses at the beginning and at the end of query.

If you don't want each pipe to start a new line, you can easily disable this in "Account Settings": https://docs.splunk.com/Documentation/Splunk/7.0.1/Search/Parsingsearches#Auto-format_search_syntax

I would suggest reading this Splunk documentation which describes how a SPL in Splunk is formatted.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/Aboutsearchlanguagesyntax

Hi brolarf,

you should not use parenthesis that go beyond a pipe.
You should not even have any "(" ")" in that search.