On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
From
This topic describes how to use the function in the .
Description
A special function used in the SPL2 Pipeline Builder to retrieve data from a specific source function. The from function has optional clauses to filter and project the data that you can specify within the from function, or you can filter and project the data by using the streaming functions instead.
The from
function has a flexible syntax, which enables you to start building a pipeline with either the FROM
or the SELECT
clause. For example, these two SPL2 strings are identical and build the exact same pipeline:
Start with the FROM clause | Start with the SELECT clause |
---|---|
| FROM read_splunk_firehose() WHERE match_regex(cast(map_get(attributes, "syslog_message"), "string"), /.*teardown.*outside.*inside/i) SELECT id, timestamp, kind, host, "asa" AS source, cast(map_get(attributes, "syslog_message"), "string") AS syslog_message, "asa_teardown" AS sourcetype; |
| SELECT id, timestamp, kind, host, "asa" AS source, cast(map_get(attributes, "syslog_message"), "string") AS syslog_message, "asa_teardown" AS sourcetype FROM read_splunk_firehose() WHERE match_regex(cast(map_get(attributes, "syslog_message"), "string"), /.*teardown.*outside.*inside/i); |
The only difference between the two is that one starts with FROM and the other starts with SELECT.
Regardless of which clause you use to start a pipeline with, to use the optional clauses you must specify the clauses in a specific hierarchical order. See "Order of clauses" on this page.
Syntax
The required syntax is in bold.
- FROM <source_function>
- [ WHERE ( <predicate-expression> [<logical-operator> <predicate-expression>] ) ... ]
- [ SELECT <expression> [, <expression>] ... ]
Required arguments
- source_function
- Syntax: <source_function>
- Description: The source function to retrieve the data from. For a list of available source functions, see source functions.
Optional arguments
- WHERE
- Syntax: WHERE <predicate-expression> [<logical-operator> <predicate-expression>...]
- Description: Use the
WHERE
clause to filter the incoming data. TheWHERE
clauses uses predicate expressions to filter your data by narrowing down the records based on specified criteria. When specifying multiple predicate expressions, you must specify a logical operator between the expressions. For information about and examples of the types of predicate expressions you can specify, see Predicate expressions in the SPL2 Search Manual. TheWHERE
clause does not support wildcards in the <predicate-expression>, except for the percent sign ( % ) with theLIKE
operator. Alternatively, instead of using the WHERE clause, you can also choose to use the Where function downstream in your pipeline. - Default: None
- SELECT
- Syntax: SELECT <expression> [ AS <field> [,<expression> [AS <field>] ]... ]
- Description: Use the
SELECT
clause to assign alternative names to fields or apply scalar functions to a group of fields. The <expression> can be any expression. See Types of expressions in the SPL2 Search Manual. Alternatively, instead of using the SELECT clause, you can also choose to use the Select function downstream in your pipeline. - Default: None
When you specify the WHERE
or SELECT
optional arguments with the FROM
clause, the builds a pipeline that includes the Select and Where functions.
Order of clauses
There is a hierarchy to the from
function clauses. You can skip clauses, but the clauses you use when building or editing a pipeline must follow the hierarchy.
The hierarchy depends on whether you start the FROM
clause or the SELECT
clause.
FROM clause hierarchy | SELECT clause hierarchy |
---|---|
|
|
SPL2 examples
Examples of common use cases follow.
1. Reads data from the Forwarders Service source function
| FROM forwarders("forwarders:all") |...;
2. Reads data from the Splunk DSP Firehose and filters for records with a syslog sourcetype
| FROM splunk_firehose() WHERE source_type="syslog" |...;
3. Reads data from the Splunk DSP Firehose, filters for records with the webaccess sourcetype, and only keeps the host and timestamp fields
| SELECT host, timestamp FROM splunk_firehose() WHERE source_type="webaccess" | ...;
Fields | Into |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5
Feedback submitted, thanks!