into command overview
The SPL2 into command appends to or replaces the contents of a dataset in the search or pipeline. The dataset must be a writeable dataset.
The into command does not return any search results or pass data to a subsequent command in a pipeline, so it must be the last command in your search or pipeline.
Syntax
The required syntax is in bold.
- into
- [ mode=append | replace ]
- <dataset>
When you use this command in an Edge Processor or Ingest Processor pipeline, <dataset> must be set to the $destination parameter.
How the SPL2 into command works
The into command works differently in different product contexts:
In searches
Let's start with this search:
FROM main WHERE earliest=-5m@m AND latest=@m GROUP BY host SELECT sum(bytes) AS sum, host HAVING sum > 1024*1024 | into bytesUsage
The following table describes what each command and clause is doing in the search:
| Command or clause | Description |
|---|---|
| FROM command | Retrieves data from the main dataset.
|
| WHERE clause | Specifies to search only the last 5 minutes, starting at the beginning of the minute and stop at the beginning of the current minute. |
| GROUP BY clause | Categorizes the results by the host field.
|
| SELECT clause | Uses a calculation to sum the data in the bytes field and place the results in a field called sum. In addition, returns the host field.
|
| HAVING clause | Filters the aggregated results to return only the sum of the bytes that are greater than 1 MB. |
| into command | Appends the results to the bytesUsage dataset.
|
By default, the into command appends search results to a dataset that you have write access to. The mode argument is only valid when the dataset is a lookup kind of dataset. See Dataset kinds in the SPL2 Search Manual.
In pipelines
The into command sends data that was processed upstream in the Edge Processor or Ingest Processor pipeline to a destination dataset. For example, the data can be sent to an index or an Amazon S3 bucket.
Consider the following pipeline:
$pipeline = | from $source | eval index="main" | into $destination
The following table describes what each command is doing in the pipeline:
| Command or clause | Description |
|---|---|
| from command | Selects a subset of the data received by the Edge Processor or Ingest Processor. This subset is determined by the partition of the pipeline, which you configure in the pipeline builder. |
| eval command | Sets the value of the index field to main for all of the events in the selected subset of data.
|
| into command | Sends the processed data to the destination dataset specified by the pipeline settings, which you configure in the pipeline builder. |
See also
- Related commands
- branch command overview
- thru command overview
- Pipelines
- Edge Processor pipeline syntax in the Use Edge Processors manual
- Ingest Processor pipeline syntax in the Use Ingest Processors manual
- Related information
- Dataset kinds in the SPL2 Search Manual
| head command examples | into command syntax details |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!