Search pipeline syntax
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Search pipeline syntax
A Splunk search consists one or more commands and their arguments. Any search must have at least one data-generation command. The data generated can then be used by other commands in a search pipeline.
You can pipe search results to a variety of powerful commands to perform statistics and structured analysis on the results.
A data-generation command is a command that generates data. The most common data-generation command is search which retrieves data persisted in a Splunk index, but there are other data-generation commands as well.
search is made up of a search statement followed by search arguments. Search arguments alter the results of the search by specifying what data to operate on, what additional instructions to follow at runtime, and what indexed terms to search for specifically. The search argument can contain a subsearch.
The search pipeline is composed of commands and arguments that process data generated by the search command and the other data-generation commands.
Search arguments alter the results of the search by specifying what data to operate on, what additional instructions to follow at runtime, and what indexed terms to search for specifically. The search argument can contain a subsearch. Search arguments can be literal keywords, wildcards, Boolean expressions, search field="value" pairs, modifier="value" pairs, and subsearches.
Search pipeline syntax
search ::= data_generation_command [ search_pipeline ]
data_generation_command ::= search_command | remote_command | savedsearch_command | run_command
search_pipeline ::= "|" [command] [ search_pipeline ]
search_command ::= search [search_argument]+
search_argument ::= [keywords] [field="value"] [modifier="value"] [search_command]
subsearch ::= search_command "[" search "]"
remote_command ::= remote [server","...","server] | [server" "..." "server] [search_pipeline]
savedsearch_command::= savedsearch [name of saved search]
run_command ::= run [run argument]
Subsearch syntax
A subsearch is a search with a search pipeline as an argument (like a backtick in UNIX). Use subsearches to generate search results and then use those results to narrow an outer (containing) search.
search_command ::= search search_argument
search_argument ::= keyword | field="value" | modifier="value" | subsearch
subsearch ::= search_command "[" [ search ] "]"
The search command is made up of a search statement followed by search arguments.
Example
This example searches for events from the source type "access_combined" that match client IP addresses that occur less than 10 times.
sourcetype="access_combined" [search sourcetype="access_combined" | stats count by client_ip | search count<10 | fields + client_ip]
How this example subsearch works
1. The "inner" subsearch searches for the source type access_combined and counts events by client_ip.
2. Using the stats and seach commands, all events with client_ip values that occur 10 or more times are filtered out.
3. From the remaining events, the fields command causes only the values of the client_ip field to be kept.
4. Then, the results from the subsearch (the remaining client_ip values) are passed as an argument to the "outer" search.
As a whole, the search returns events that come from the access_combined source type that match any of the client_ip keyword values returned from the subsearch.
In this example, the subsearch uses the stats command to perform the statistical operation that gets you the count of client_ip addresses. You can then use the more limited data set to perform the "outer" search.