When I use spath as a secondary search, it works well. but when I try to search with spath as the first command, it returns nothing.
So is spath not allowed to be the first command in a Splunk search request? if so, is there any workaround for this? Thanks.
Working search:
sourcetype = "test-svc-logs" | spath host | search host = test-svc-5b76489f5f-ppm98
Not working search:
spath host | search host = test-svc-5b76489f5f-ppm98
There are broadly six types of commands, which are responsible/useful for creating SPL queries, performing transformation over data, processing, improving performance of your SPL, etc...
spath is a distributable streaming command. it sees empty event set when you put at the start of the SPL, so it adds no fields and downstream search has nothing to filter.
Generating commands are usually invoked at the beginning of the search and with a leading pipe. That is, there cannot be a search piped into a generating command. The exception to this is the search command, because it is implicit at the start of a search and does not need to be invoked. ( spath is not a generating command)
I highly recommend learning about these types of commands, as it can improve overall performance, when we use them efficiently.
https://docs.splunk.com/Documentation/Splunk/9.4.2/Search/Typesofcommands https://docs.splunk.com/Documentation/Splunk/9.4.2/SearchReference/Commandsbytype