Splunk® Cloud Services

SPL2 Search Reference

spl1 command: Overview, syntax, and usage

The spl1 command embeds all or part of an SPL search into an SPL2 search. There are some limitations using this command. See the Usage section.

Use these links to quickly navigate to the main sections in this topic:

How the SPL2 spl1 command works

Use the SPL2 spl1 command when a command is not supported in SPL2.

For example, while the makeresults command is not supported in SPL2 you can use the spl1 command to run a search with the makeresults command:

Version Example
SPL search 
makeresults count=3
SPL2 search 
$makeresults1 = `makeresults count=3`

This search uses the spl1 command backtick ( ` ) character syntax.

SPL2 search 
$makeresults2 = | spl1 "makeresults count=3"

This search uses the explicit spl1 command syntax.

In SPL, the default index is main and when you run a search, the search is run against the main index. However, there is no default index in SPL2. To run a search against a specific index, you must specify that index.

Here's an example:

Version Example
SPL search 
error OR http_code=404

This search looks for the term error and the field-value pair http_code=404 in the default index, main.

SPL2 search 
$error1 = from main | `search error OR http_code=404`

There is no default dataset with SPL2. The easiest way to identify the dataset is with the SPL2 from command. This search uses the spl1 command backtick ( ` ) character syntax.

SPL2 search 
$error2 = from main | spl1 "search error OR http_code=404"

This is the same search using the explicit spl1 command syntax.|-

SPL2 search 
$error3 = `search index=main error OR http_code=404`

Alternatively, you can add the index to the search command.

Syntax

The spl1 command supports 2 syntaxes.

Backtick character syntax
Enclose the SPL search in backtick ( ` ) characters. The syntax is:

`<SPL-search>`
Explicit spl1 command syntax
Use the spl1 command explicitly and enclose the SPL search in double quotation marks. The syntax is:

spl1 "<SPL-search>"

Usage

You use the spl1 command to include SPL searches, or parts of searches, in your SPL2 searches. The spl1 command enables you to use SPL commands that are not directly supported with SPL2.

SPL commands supported with the spl1 command

In SPL2 searches, you can use the following SPL commands with the spl1 command:

Commands
  • actions
  • addinfo
  • append
  • appendcol
  • apply
  • bin
  • cluster
  • convert
  • dedup
  • eval
  • eventsingest
  • eventstats
    		•
  • fields
  • fieldsummary
  • fillnull
  • fit
  • foreach
  • head
  • inputlookup
  • iplocation
  • join
  • lookup
  • makeresults
  • mcatalog
    		•
  • metadata
  • metricsingest
  • mstats
  • mvcombine
  • mvexpand
  • multireport
  • noop
  • outputlookup
  • regex
  • rename
  • reverse
  • rex
    		•
  • savedsearch
  • search
  • selfjoin
  • sistats
  • sort
  • spath
  • stats
  • streamstats
  • table
  • tags
  • tail
  • timechart
    		•
  • timeliner
  • timewrap
  • transaction
  • tstats
  • tojson
  • top
  • typer
  • untable
  • union
  • where
  • xyseries

    • Searches that use the implied search command

    For some SPL searches, you must add the search command when you use the spl1 command.

    In the SPL, the search command is implied at the beginning of some searches, such as searches that start with a keyword or a field-value pair. Unless your SPL search begins with a generating command like inputlookup, makeresults, mstats, or tstats, you must include the search command when you use the spl1 command. See spl1 command examples.

    When to include the index in your search

    In an SPL2 search, there is no default index. You must specify the index that you want to search either before or within the spl1 command portion of the search. See spl1 command examples.

    Searches that contain quotation marks

    When your SPL search contains quotation marks, it is easier to use the spl1 command backtick ( ` ) character syntax. When you use the explicit spl1 command syntax, you must escape the quotation marks. See spl1 command examples.

    Searches with macros or subsearches

    You cannot use the spl1 command with SPL searches that contain macros or subsearches.

    See also

    spl1 command
    spl1 command: Examples
    Related information
    Differences between SPL and SPL2
    Last modified on 10 April, 2025
    sort command: Examples   spl1 command: Examples

    This documentation applies to the following versions of Splunk® Cloud Services: current

    Acrobat logo Download manual
    Acrobat logo Download this page

    Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

    Was this topic useful?







    You must be logged into splunk.com in order to post comments. Log in now.

    Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

    0 out of 1000 Characters