feat: add 3-mode SPL prepend behavior (closes #4)

Issue #4 reports that splunk-cli prepends `search ` to user-supplied
SPL even when the input already begins with the `search` command, so
copy-pasting `search index=foo` from Splunk Web yields the submitted
SPL `search search index=foo`. Splunk then parses the second `search`
as a literal token to match — returning silent no-results.

Adds a `--prepend <mode>` global flag and a `[splunk] prepend = "..."`
config field. Three modes:

  pipe-only  (default, historical behavior) — prepend `search ` unless
             the SPL starts with `|`.
  auto       — also skip when the SPL already starts with the `search`
             command (followed by whitespace or end-of-string). Fixes
             the doubled-search artifact. Does not detect macros that
             expand to a leading command — use `off` for that.
  off        — never prepend; caller supplies a complete SPL.

Default mode is unchanged so existing workflows are unaffected.

The auto-prepend logic moves into a new `internal/spl` package as a
pure `Wrap(spl, mode)` helper with table-driven tests covering each
mode against bare terms, leading-`search` commands, pipe leaders,
quoted phrases, backtick macros, and tokens that merely start with
"search" (e.g. `searchengine=foo`). The Splunk client now delegates
to `spl.Wrap` instead of inlining the rule.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: magifd2

CHANGELOG.md

@@ -5,6 +5,33 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Added
+
+- **`--prepend` flag and `prepend` config field** for choosing how SPL
+  is wrapped before submission. Three modes:
+  - `pipe-only` (default, historical behavior): prepend `search ` unless
+    the SPL starts with `|`.
+  - `auto`: also skip the prefix when the SPL already starts with the
+    `search` command (followed by whitespace or end-of-string). Avoids
+    the doubled-`search` artifact when a user pastes `search index=foo`
+    from Splunk Web. Does not detect macros that expand to a leading
+    command — use `off` for that.
+  - `off`: never prepend; the caller supplies a complete SPL.
+
+  Precedence: `--prepend` CLI flag > `[splunk] prepend` in config file
+  > built-in default (`pipe-only`). Default is unchanged from prior
+  versions, so existing workflows are unaffected. Addresses
+  https://github.com/nlink-jp/splunk-cli/issues/4.
+
+### Changed
+
+- The auto-prepend logic moves into the new `internal/spl` package as
+  a pure `Wrap(spl, mode)` helper, and the Splunk client now delegates
+  to it instead of inlining the rule. No observable change at the
+  default mode.
+
 ## [2.0.4] - 2026-05-22
 
 ### Added

README.ja.md

@@ -111,9 +111,35 @@ splunk-cli [command]
       --insecure                TLS 証明書検証をスキップ
       --http-timeout duration   リクエストごとの HTTP タイムアウト（例: 30s, 2m）
       --debug                   デバッグログを有効化
+      --prepend string          SPL 自動補完モード: auto | pipe-only（デフォルト）| off
   -v, --version                 バージョン情報を表示
 ```
 
+### SPL 自動補完モード
+
+splunk-cli はデフォルトでユーザの SPL の先頭に `search ` を自動付与します（`|` 始まりは除く）。このため **自分で `search index=foo` と書くと `search search index=foo` になり**、Splunk は 2 番目の `search` をリテラルトークン検索として解釈する結果、ほぼ常に空ヒットになります。3 つのモードを選べます。
+
+| モード | `search ` を付与する条件 | 備考 |
+|---|---|---|
+| `pipe-only`（デフォルト） | 入力が `\|` で始まらない場合 | 従来動作。後方互換維持。 |
+| `auto` | 入力が `\|` で始まらず、かつ `search` コマンド（後ろが空白 / 末尾）で始まらない場合 | Splunk Web からのコピペに親切。マクロが先頭コマンドに展開されるケースは検出できない。 |
+| `off` | 付与しない | 完全な SPL を自分で書く必要があります（先頭 `search` / 生成コマンド / `\|` を含む）。 |
+
+実行ごとに指定:
+
+```bash
+splunk-cli run --prepend auto --spl 'search index=foo | stats count'
+```
+
+または `~/.config/splunk-cli/config.toml` でデフォルト指定:
+
+```toml
+[splunk]
+prepend = "auto"
+```
+
+優先順位: CLI フラグ > 設定ファイル > 組み込みデフォルト（`pipe-only`）
+
 ### `run` — 同期検索
 
 ```bash

README.md

@@ -111,9 +111,39 @@ Global flags:
       --insecure                Skip TLS certificate verification
       --http-timeout duration   Per-request HTTP timeout (e.g. 30s, 2m)
       --debug                   Enable verbose debug logging
+      --prepend string          SPL prepend mode: auto | pipe-only (default) | off
   -v, --version                 Print version information
 ```
 
+### SPL prepend mode
+
+By default, splunk-cli wraps your SPL with a leading `search ` command
+unless it starts with `|`. This means **typing `search index=foo`
+yourself produces a doubled `search search index=foo`**, which Splunk
+parses as "search command + literal token search + index=foo" and
+typically returns no results. Three modes are available:
+
+| Mode | When `search ` is added | Notes |
+|---|---|---|
+| `pipe-only` (default) | unless input starts with `\|` | Historical behavior; backward compatible. |
+| `auto` | unless input starts with `\|` **or** with the `search` command (followed by whitespace / EOF) | Convenient when pasting from Splunk Web. Does **not** detect macros that expand to a leading command. |
+| `off` | never | You supply a complete SPL, including any leading command. |
+
+Set per-invocation:
+
+```bash
+splunk-cli run --prepend auto --spl 'search index=foo | stats count'
+```
+
+Or set the default in `~/.config/splunk-cli/config.toml`:
+
+```toml
+[splunk]
+prepend = "auto"
+```
+
+Priority: CLI flag > config file > built-in default (`pipe-only`).
+
 ### `run` — Synchronous search
 
 ```bash

cmd/root.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/nlink-jp/splunk-cli/internal/client"
 	"github.com/nlink-jp/splunk-cli/internal/config"
+	"github.com/nlink-jp/splunk-cli/internal/spl"
 )
 
 // cfg holds the runtime configuration, built by loadConfig in PersistentPreRunE.
@@ -29,6 +30,7 @@ var (
 	flagHTTPTimeout time.Duration
 	flagDebug       bool
 	flagLimit       int
+	flagPrepend     string
 )
 
 var rootCmd = &cobra.Command{
@@ -52,6 +54,7 @@ func init() {
 	pf.DurationVar(&flagHTTPTimeout, "http-timeout", 0, "Per-request HTTP timeout (e.g. 30s, 2m)")
 	pf.BoolVar(&flagDebug, "debug", false, "Enable verbose debug logging")
 	pf.IntVar(&flagLimit, "limit", 0, "Max results to return (0 = all)")
+	pf.StringVar(&flagPrepend, "prepend", "", `SPL prepend mode: "auto" | "pipe-only" (default) | "off"`)
 }
 
 // Execute runs the root command.
@@ -102,6 +105,13 @@ func loadConfig(_ *cobra.Command, _ []string) error {
 	if pf.Changed("limit") {
 		cfg.Limit = flagLimit
 	}
+	if pf.Changed("prepend") {
+		mode, err := spl.ParseMode(flagPrepend)
+		if err != nil {
+			return err
+		}
+		cfg.Prepend = mode
+	}
 	return nil
 }
 

config.example.toml

@@ -26,3 +26,20 @@ token = ""
 
 # Maximum results to return per run/results command (0 = all)
 # limit = 0
+
+# How splunk-cli wraps the SPL you submit:
+#   "pipe-only" (default) — prepend "search " unless the SPL starts with "|".
+#                           Matches the historical behavior; if you write
+#                           `search index=foo`, the submitted SPL becomes
+#                           `search search index=foo` (Splunk treats the
+#                           second `search` as a literal token to match).
+#   "auto"                — also skip the prefix when the SPL already starts
+#                           with the `search` command (followed by a space
+#                           or end of string). Convenient if you paste from
+#                           Splunk Web; does not protect against macros that
+#                           expand to a leading command.
+#   "off"                 — never prepend. You must supply a complete SPL,
+#                           including any leading `search` or generating
+#                           command.
+# Override per-invocation with `--prepend auto|pipe-only|off`.
+# prepend = "pipe-only"

internal/client/client.go

@@ -17,6 +17,7 @@ import (
 	"time"
 
 	"github.com/nlink-jp/splunk-cli/internal/config"
+	splpkg "github.com/nlink-jp/splunk-cli/internal/spl"
 )
 
 const (
@@ -154,11 +155,7 @@ func (c *Client) StartSearch(ctx context.Context, spl, earliest, latest string)
 	c.debugf("POST %s\n", endpoint)
 
 	form := url.Values{}
-	if !strings.HasPrefix(strings.TrimSpace(spl), "|") {
-		form.Set("search", "search "+spl)
-	} else {
-		form.Set("search", spl)
-	}
+	form.Set("search", splpkg.Wrap(spl, c.cfg.Prepend))
 	if earliest != "" {
 		form.Set("earliest_time", earliest)
 	}

internal/config/config.go

@@ -10,6 +10,8 @@ import (
 	"time"
 
 	"github.com/BurntSushi/toml"
+
+	"github.com/nlink-jp/splunk-cli/internal/spl"
 )
 
 // Stderr is the writer for warnings. Overridable in tests.
@@ -28,6 +30,7 @@ type Config struct {
 	HTTPTimeout time.Duration
 	Limit       int
 	Debug       bool
+	Prepend     spl.PrependMode
 }
 
 // tomlConfig mirrors the TOML file structure.
@@ -45,6 +48,7 @@ type tomlSplunk struct {
 	Insecure    bool   `toml:"insecure"`
 	HTTPTimeout string `toml:"http_timeout"`
 	Limit       int    `toml:"limit"`
+	Prepend     string `toml:"prepend"`
 }
 
 // DefaultPath returns the default config file path.
@@ -60,6 +64,7 @@ func DefaultPath() string {
 // A missing file is not an error — the returned Config will have zero values.
 func Load(path string) (Config, error) {
 	var cfg Config
+	cfg.Prepend = spl.DefaultMode
 
 	if path == "" {
 		path = DefaultPath()
@@ -98,6 +103,12 @@ func Load(path string) (Config, error) {
 		cfg.HTTPTimeout = d
 	}
 
+	mode, err := spl.ParseMode(s.Prepend)
+	if err != nil {
+		return cfg, fmt.Errorf("config: %w", err)
+	}
+	cfg.Prepend = mode
+
 	return cfg, nil
 }
 

internal/spl/prepend.go

@@ -0,0 +1,90 @@
+// Package spl contains pure helpers for shaping SPL queries before they are
+// sent to Splunk's REST API.
+package spl
+
+import (
+	"fmt"
+	"strings"
+)
+
+// PrependMode controls how Wrap decides whether to add a leading "search "
+// command to a user-supplied SPL string.
+type PrependMode string
+
+const (
+	// ModeAuto skips the "search " prefix when the input already starts with
+	// the "search" command (followed by whitespace or end-of-string) or with
+	// a "|" pipe leader. Everything else (bare terms, quoted phrases,
+	// backtick macros) gets the prefix.
+	ModeAuto PrependMode = "auto"
+
+	// ModePipeOnly skips the prefix only when the input starts with "|".
+	// This matches the historical default — passing `search index=foo`
+	// produces the double-search artifact `search search index=foo`.
+	ModePipeOnly PrependMode = "pipe-only"
+
+	// ModeOff never prepends. The caller must supply a complete SPL,
+	// including any leading "search" / generating command / "|" leader.
+	ModeOff PrependMode = "off"
+)
+
+// DefaultMode is the prepend mode used when neither config nor flag specifies
+// one. ModePipeOnly preserves historical splunk-cli behavior so existing
+// workflows keep working without change.
+const DefaultMode = ModePipeOnly
+
+// Wrap returns the SPL string ready for submission, applying "search "
+// prepend according to mode. The original input is preserved verbatim
+// when no prefix is added (whitespace and all).
+func Wrap(spl string, mode PrependMode) string {
+	if mode == "" {
+		mode = DefaultMode
+	}
+	if mode == ModeOff {
+		return spl
+	}
+	trimmed := strings.TrimSpace(spl)
+	if strings.HasPrefix(trimmed, "|") {
+		return spl
+	}
+	if mode == ModeAuto && hasLeadingSearchCommand(trimmed) {
+		return spl
+	}
+	return "search " + spl
+}
+
+// hasLeadingSearchCommand reports whether s begins with the SPL command
+// "search" followed by whitespace or end-of-string. Tokens that merely
+// start with "search" (for example searchengine=foo) return false.
+func hasLeadingSearchCommand(s string) bool {
+	const kw = "search"
+	if !strings.HasPrefix(s, kw) {
+		return false
+	}
+	if len(s) == len(kw) {
+		return true
+	}
+	switch s[len(kw)] {
+	case ' ', '\t', '\n', '\r':
+		return true
+	}
+	return false
+}
+
+// ParseMode normalizes user-supplied input (CLI flag value or TOML field)
+// into a PrependMode. Empty string maps to DefaultMode. Unknown values
+// return an error so misconfiguration fails loudly rather than silently
+// falling back.
+func ParseMode(s string) (PrependMode, error) {
+	switch strings.ToLower(strings.TrimSpace(s)) {
+	case "":
+		return DefaultMode, nil
+	case string(ModeAuto):
+		return ModeAuto, nil
+	case string(ModePipeOnly):
+		return ModePipeOnly, nil
+	case string(ModeOff):
+		return ModeOff, nil
+	}
+	return "", fmt.Errorf("invalid prepend mode %q (want auto | pipe-only | off)", s)
+}