from command retrieves data from a dataset, such as a data model dataset, a CSV lookup, a KV Store lookup, a saved search, or a table dataset.
Design a search that uses the
from command to reference a dataset. Optionally add additional SPL such as lookups, eval expressions, and transforming commands to the search Save the result as a report, alert, or dashboard panel. If you use Splunk Cloud, or use Splunk Enterprise and have installed the Splunk Datasets Add-on, you can also save the search as a table dataset.
See the Usage section.
| from <dataset_type>:<dataset_name>
- Syntax: <dataset_type>
- Description: The type of dataset. Valid values are:
datamodeldataset type can be either a data model dataset or a table dataset. You create data model datasets with the Data Model Editor. You can create table datasets with the Table Editor if you use Splunk Cloud or use Splunk Enterprise and have installed the Splunk Datasets Add-on.
inputlookupdataset type can be either a CSV lookup or a KV Store lookup.
savedsearchdataset type is a saved search. You can use
fromto reference any saved search as a dataset.
- See About datasets in the Knowledge Manager Manual.
- Syntax: <dataset_name>
- Description: The name of the dataset that you want to retrieve data from. If the
dataset_typeis a data model, the syntax is
<datamodel_name>.<dataset_name>. If the name of the dataset contains spaces, enclose the dataset name in quotation marks.
- Example: If the data model name is
internal_server, and the dataset name is
In older versions of the Splunk software, the term "data model object" was used. That term has been replaced with "data model dataset".
When you use the
from command, you must reference an existing dataset. You can reference any dataset listed in the Datasets listing page (data model datasets, CSV lookup files, CSV lookup definitions, and table datasets). You can also reference saved searches and KV Store lookup definitions. See View and manage datasets in the Knowledge Manager Manual.
When you create a report, alert, dashboard panel, or table dataset that is based on a
from search that references a dataset, that knowledge object has a dependency on the referenced dataset. This is dataset extension. When you make a change to the original dataset, such as removing or adding fields, that change propagates down to the reports, alerts, dashboard panels, and tables that have been extended from that original dataset. See Dataset extension in the Knowledge Manager Manual.
from command is a generating command, and should be the first command in the search. Generating commands use a leading pipe character.
However, you can use the
from command inside the
1. Search a data model
Search a data model that contains internal server log events for REST API calls. In this example,
internal_server is the data model name and
splunkdaccess is the dataset inside the
internal_server data model.
| from datamodel:internal_server.splunkdaccess
2. Search a lookup file
Search a lookup file that contains geographic attributes for each country, such as continent, two-letter ISO code, and subregion.
| from inputlookup:geo_attr_countries.csv
3. Retrieve data by using a lookup file
Search the contents of the KV store collection kvstorecoll that have a
CustID value greater than 500 and a
CustName value that begins with the letter P. The collection is referenced in a lookup table called
kvstorecoll_lookup. Using the
stats command, provide a count of the events received from the table.
| from inputlookup:kvstorecoll_lookup | where (CustID>500) AND (CustName="P*") | stats count
4. Retrieve data using a saved search
Retrieve the timestamp and client IP from the saved search called
| from savedsearch:mysecurityquery | fields _time clientip ...
5. Specify a dataset name that contains spaces
When the name of a dataset includes spaces, enclose the dataset name in quotation marks.
| from savedsearch:"Top five sourcetypes"
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0