spl1 command overview
The spl1 command embeds all or part of an SPL search into an SPL2 search. There are some limitations using this command. See spl1 command usage.
Syntax
The spl1 command supports two syntaxes.
- Backtick character syntax
- Enclose the SPL search in backtick ( ` ) characters. The syntax is:
- `<SPL-search>`
- Explicit
spl1command syntax - Use the
spl1command explicitly and enclose the SPL search in double quotation marks, The syntax is: - spl1 "<SPL-search>"
How the SPL2 spl1 command works
Use the SPL2 spl1 command when a command is not supported in SPL2.
For example, while the makeresults command is not supported in SPL2 you can use the spl1 command to run a search with the makeresults command:
| Version | Example |
|---|---|
| SPL search | makeresults count=3 |
| SPL2 search | $makeresults1 = `makeresults count=3` This search uses the |
| SPL2 search | $makeresults2 = | spl1 "makeresults count=3" This search uses the explicit |
In SPL, the default index is main and when you run a search, the search is run against the main index.
However, there is no default index in SPL2. To run a search against a specific index, you must specify that index.
Here's an example:
| Version | Example |
|---|---|
| SPL search | error OR http_code=404 This search looks for the term |
| SPL2 search | $error1 = from main | `search error OR http_code=404` There is no default dataset with SPL2. The easiest way to identify the dataset is with the SPL2 |
| SPL2 search | $error2 = from main | spl1 "search error OR http_code=404" This is the same search using the explicit |
| SPL2 search | $error3 = `search index=main error OR http_code=404` Alternatively, you can add the index to the |
See also
- Related information
- Differences between SPL and SPL2
| sort command examples | spl1 command syntax details |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!