Splunk® Data Stream Processor

Function Reference

DSP 1.2.0 is impacted by the CVE-2021-44228 and CVE-2021-45046 security vulnerabilities from Apache Log4j. To fix these vulnerabilities, you must upgrade to DSP 1.2.4. See Upgrade the Splunk Data Stream Processor to 1.2.4 for upgrade instructions.

On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.

From

This topic describes how to use the function in the .

Description

A special function used in the SPL2 Pipeline Builder to retrieve data from a specific source function. The from function has optional clauses to filter and project the data that you can specify within the from function, or you can filter and project the data by using the streaming functions instead.

The from function has a flexible syntax, which enables you to start building a pipeline with either the FROM or the SELECT clause. For example, these two SPL2 strings are identical and build the exact same pipeline:

Start with the FROM clause Start with the SELECT clause
| FROM read_splunk_firehose() 
WHERE match_regex(cast(map_get(attributes, "syslog_message"), "string"), /.*teardown.*outside.*inside/i) 
SELECT id,
    timestamp,
    kind,
    host,
    "asa" AS source,
    cast(map_get(attributes, "syslog_message"), "string") AS syslog_message,
    "asa_teardown" AS sourcetype;
| SELECT id,
    timestamp,
    kind,
    host,
    "asa" AS source,
    cast(map_get(attributes, "syslog_message"), "string") AS syslog_message,
    "asa_teardown" AS sourcetype
 FROM read_splunk_firehose() 
 WHERE match_regex(cast(map_get(attributes, "syslog_message"), "string"), /.*teardown.*outside.*inside/i); 

The only difference between the two is that one starts with FROM and the other starts with SELECT.

Regardless of which clause you use to start a pipeline with, to use the optional clauses you must specify the clauses in a specific hierarchical order. See "Order of clauses" on this page.

Syntax

The required syntax is in bold.

FROM <source_function>
[ WHERE ( <predicate-expression> [<logical-operator> <predicate-expression>] ) ... ]
[ SELECT <expression> [, <expression>] ... ]

Required arguments

source_function
Syntax: <source_function>
Description: The source function to retrieve the data from. For a list of available source functions, see source functions.

Optional arguments

WHERE
Syntax: WHERE <predicate-expression> [<logical-operator> <predicate-expression>...]
Description: Use the WHERE clause to filter the incoming data. The WHERE clauses uses predicate expressions to filter your data by narrowing down the records based on specified criteria. When specifying multiple predicate expressions, you must specify a logical operator between the expressions. For information about and examples of the types of predicate expressions you can specify, see Predicate expressions in the SPL2 Search Manual. The WHERE clause does not support wildcards in the <predicate-expression>, except for the percent sign ( % ) with the LIKE operator. Alternatively, instead of using the WHERE clause, you can also choose to use the Where function downstream in your pipeline.
Default: None
SELECT
Syntax: SELECT <expression> [ AS <field> [,<expression> [AS <field>] ]... ]
Description: Use the SELECT clause to assign alternative names to fields or apply scalar functions to a group of fields. The <expression> can be any expression. See Types of expressions in the SPL2 Search Manual. Alternatively, instead of using the SELECT clause, you can also choose to use the Select function downstream in your pipeline.
Default: None

When you specify the WHERE or SELECT optional arguments with the FROM clause, the builds a pipeline that includes the Select and Where functions.

Order of clauses

There is a hierarchy to the from function clauses. You can skip clauses, but the clauses you use when building or editing a pipeline must follow the hierarchy.

The hierarchy depends on whether you start the FROM clause or the SELECT clause.

FROM clause hierarchy SELECT clause hierarchy
  • FROM
    • WHERE
      • SELECT
  • SELECT
    • FROM
      • WHERE

SPL2 examples

Examples of common use cases follow.

1. Reads data from the Forwarders Service source function

| FROM forwarders("forwarders:all") |...;

2. Reads data from the Splunk DSP Firehose and filters for records with a syslog sourcetype

| FROM splunk_firehose() WHERE source_type="syslog" |...;

3. Reads data from the Splunk DSP Firehose, filters for records with the webaccess sourcetype, and only keeps the host and timestamp fields

| SELECT host, timestamp 
  FROM splunk_firehose()
  WHERE source_type="webaccess" | ...;
Last modified on 04 August, 2022
Fields   Into

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters