About the pipe symbol

Before we dive into the actual commands, it is important to understand what the pipe symbol (|) is used for in Splunk. In a command line, the pipe symbol is used to represent the sending of data from one process to another. For example, in a Unix-style operating system, you might say:

grep foo access.log | grep bar

The first command finds, in the file access.log, lines that contain foo. Its output is taken and piped to the input of the next grep command, which finds lines that contain bar. The final output goes wherever it was destined to go, usually to the Terminal window.

The pipe symbol is different in Splunk in a few important ways:

• Unlike the command line, events are not simply text, but rather each of them is a set of key/value pairs. You can think of each event as a database row, Python dictionary, JavaScript object, Java map, or Perl associative array. Some fields are hidden from the user but are available for use. Many of these hidden fields are prefixed with an underscore, for instance, _raw, which contains the original event text, and _time, which contains the parsed time in UTC epoch form. Unlike a database, events do not adhere to a schema and fields are created dynamically.
• Commands can do anything to the events that they are handed. Usually, a command does one of the following:
  • Modifies or creates fields, for example, eval and rex
  • Filters events, such as head and where
  • Replaces events with a report, for example, top and stats
  • Sorts the results of a search using sort
• Some commands can act as generators, which produce what you might call synthetic events, such as |metadata and |inputcsv.

We will get to know the pipe symbol very well through examples.