Splunk Search

Why does Using "|" pipe cause 2nd line on search ? Search ends with unbalanced parentheses. Adding parentheses doesn't help.

brolarf
New Member

After adding pipe (|) , search looks like following :
1 (index=main sourcetype=access_combined_wcookie status=200 file=success.do
2 | top productld limit=5)

Search ends with unbalanced parentheses.

Each time entering "|" pipe causes a new line

0 Karma

bmcfar000
Engager

It's a preference, under settings -> spl editor -> Search auto-format

0 Karma

mayurr98
Super Champion

hey @brolarf
Learn SPL syntax using this doc
http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsearchlanguagesyntax

The query you are hitting index=main sourcetype=access_combined_wcookie status=200 file=success.do
it does not contain any productID
so you will not get any events with this search

index=main sourcetype=access_combined_wcookie status=200 file=success.do 
| top limit=5 productld

But you try this you will probably end up getting events

index=main sourcetype=access_combined_wcookie status=200 productId=* file=*
| top limit=5 productld

If you want to learn basic SPL. I mean how it works you should do this free course available on splunk
https://www.splunk.com/view/SP-CAAAPX9

let me know if this helps !

0 Karma

nryabykh
Path Finder

Hi, brolarf.

You must have parentheses balanced between pipes. No need to use parentheses at the beginning and at the end of query.

If you don't want each pipe to start a new line, you can easily disable this in "Account Settings": https://docs.splunk.com/Documentation/Splunk/7.0.1/Search/Parsingsearches#Auto-format_search_syntax

somesoni2
SplunkTrust
SplunkTrust

I would suggest reading this Splunk documentation which describes how a SPL in Splunk is formatted.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Search/Aboutsearchlanguagesyntax

horsefez
SplunkTrust
SplunkTrust

Hi brolarf,

you should not use parenthesis that go beyond a pipe.
You should not even have any "(" ")" in that search.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...