Pipes

You can chain consecutive commands together using the pipe character (|). The result of a command to the left of the pipe is used as the input for the next command to the right of the pipe (if you ever worked with the Linux shell you should be familiar with the concept).

Pipes in Splunk can be used to further filter retrieved events, extract additional event information, evaluate new fields, calculate statistics, sort results, or create a chart. For example, to run a search and display the first 50 results, we can use the following example:

splunk pipe example

You can stack more than two commands. For example, to run a search, display only first 50 results, and sort results by the host field, we can use the following command:

splunk command stacking

Geek University 2022