Splunk® Cloud Services

SPL2 Search Reference

from command usage

The from command is a generating command, which means that it generates events or reports from one or more datasets without transforming the events.

Generating commands should be the first command in a search or a pipeline.

The from command is used differently in different product contexts:

  • When used in a search, this command can retrieve data from a variety of dataset kinds and supports a flexible syntax. This page describes how the from command is used in searches.
  • When used in an Edge Processor or Ingest Processor pipeline, this command retrieves data from a specific internal dataset and must be written as from $source. For information about how the from command is used in pipelines, see Edge Processor pipeline syntax in the Use Edge Processors manual or Ingest Processor pipeline syntax in the Use Ingest Processors manual.

A unique feature of the from command is that you can start a search with the FROM clause or the SELECT clause.

Hierarchy of clauses

There is a hierarchy to the from command clauses. You can skip clauses, but the clauses you use in your search must follow the hierarchy.

The hierarchy depends on whether you start the FROM clause or the SELECT clause.

FROM clause hierarchy SELECT clause hierarchy
  • FROM
    • JOIN
      • WHERE
        • GROUP BY
          • SELECT | SELECT DISTINCT
            • HAVING
              • ORDER BY
                • LIMIT
                  • OFFSET
  • SELECT | SELECT DISTINCT
    • FROM
      • JOIN
        • WHERE
          • GROUP BY
            • HAVING
              • ORDER BY
                • LIMIT
                  • OFFSET

If you have a search that only has the FROM and ORDER BY clauses, you can add any of the clauses lower in the hierarchy after ORDER BY to your search.

You cannot add any of the clauses higher in the hierarchy than ORDER BY to the end of your search. To include a clause higher in the hierarchy, you must insert the clause in its proper order.

For example, suppose you have this search:

|FROM <dataset> ORDER BY <field> DESC

You can add the LIMIT or OFFSET clause after the ORDER BY. However, to add the WHERE clause, you must insert it between the FROM clause and the ORDER BY clause in your search.

The following SPL2 searches produce the same results. One starts with the FROM clause and the other starts with the SELECT clause:

$from_example = 
FROM sample_data_index 
WHERE host="www2" 
GROUP BY action 
SELECT action, count(action) AS 'Action Count'
ORDER BY action DESC
$select_example = 
SELECT action, count(action) AS 'Action Count'
FROM sample_data_index 
WHERE host="www2" 
GROUP BY action
ORDER BY action DESC

Using dataset literals

A dataset literal is a temporary dataset that you type into your search criteria.

You can use a dataset literal anywhere you specify a dataset name, such as in generating commands like from and union.

Here's an example of using a dataset literal with the from command:

FROM [ { "state": "Washington", "abbreviation": "WA", "population": 7535591 }, { "state": "California", "abbreviation": "CA", "population": 39557045 }, { "state": "Oregon", "abbreviation": "OR", "population": 4190714 } ] | eval _time = now()

This search returns these results:

_time abbreviation population state
3:47:52 PM 14 May 2022 WA 7535591 Washington
3:47:52 PM 14 May 2022 CA 39557045 California
3:47:52 PM 14 May 2022 OR 4190714 Oregon

For more information see Dataset literals in the SPL2 Search Manual.

Using the repeat() dataset function

You use the repeat() function with the from command to create events in a temporary dataset. The repeat() function is often used to create events for testing. For example, you can create a dataset with empty events, events with hourly or daily timestamps, or events with field-value pairs.

For more information and examples, see repeat dataset function.

Using expressions in clauses

You can use expressions in many of the from command clauses.

Expressions produce a value and can be composed of field names, literals, functions, parameters, comparisons and other expressions.

The following table shows some examples:

Clause Description Example
WHERE This example uses a field-value pair expression. ... WHERE host="www1"
GROUP BY This example uses a function expression, specifying the upper function and the first_name field. ...GROUP BY upper(first_name)
SELECT This example shows 2 expressions, a function expression and a field expression. ...SELECT count(action), productId
HAVING This example uses a binary expression. ...HAVING sum > 1024*1024
ORDER BY This example uses a field expression. ...ORDER BY count DESC

For more information and examples, see Types of expressions in the SPL2 Search Manual.

Aliases do not appear in search results

When you use the JOIN clause, the aliases you specify in the search are not propagated to the search results. For example, consider this search:

| SELECT m.srcip, m._time, m.bytes, user.department, user.username FROM main AS m JOIN users AS user ON m.uid = user.id

Because the aliases are not preserved, the fields returned are srcip, _time, bytes, department, and username.

Lexicographical order

The ORDER BY clause in the from command uses lexicographical order. Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.

  • Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
  • Uppercase letters are sorted before lowercase letters.
  • Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.

For examples of how lexicographical order is different than alphanumeric order, see Lexicographical order in the SPL2 Search Manual.

Differences between SPL and SPL2

The from command in SPL2 is substantially different than the from command in SPL.

Datasets no longer need to be qualified

Version Example 1 Example 2
SPL | from savedsearch:my_search Not supported
SPL2 | from my_search | from main (where main is an index)

Datasets can be filtered

Datasets can be filtered using the where clause.

Version Example
SPL Not supported. You would need add the the where command to the search to accomplish this.
SPL2 | from my_search where field="value"

Datasets can be sorted

Datasets can be sorted using the ORDER BY clause.

Version Example
SPL Not supported. You would need add the sort command to the search to sort the dataset.
SPL2 | from 1559332447_548 order by DESC status

(This is a dataset generated from a search ID (sid).

Datasets can be projected

Datasets can be projected using the GROUP BY clause.

Version Example
SPL Not supported. You would need add a command that includes a BY clause to the search to accomplish this.
SPL2 | FROM main GROUP BY host


See also

from command
from command overview
from command syntax details
from command examples
Pipelines
Edge Processor pipeline syntax in the Use Edge Processors manual
Ingest Processor pipeline syntax in the Use Ingest Processors manual
Last modified on 19 June, 2024
from command syntax details   from command examples

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters