All DSP releases prior to DSP 1.4.0 use Gravity, a Kubernetes orchestrator, which has been announced end-of-life. We have replaced Gravity with an alternative component in DSP 1.4.0. Therefore, we will no longer provide support for versions of DSP prior to DSP 1.4.0 after July 1, 2023. We advise all of our customers to upgrade to DSP 1.4.0 before July 1, 2023 in order to continue to receive full product support from Splunk.
This topic describes how to use the function in the .
A special function used in the SPL2 Pipeline Builder to retrieve data from a specific source function. The from function has optional clauses to filter and project the data that you can specify within the from function, or you can filter and project the data by using the streaming functions instead.
from function has a flexible syntax, which enables you to start building a pipeline with either the
FROM or the
SELECT clause. For example, these two SPL2 strings are identical and build the exact same pipeline:
|Start with the FROM clause||Start with the SELECT clause|
| FROM read_splunk_firehose() WHERE match_regex(cast(map_get(attributes, "syslog_message"), "string"), /.*teardown.*outside.*inside/i) SELECT id, timestamp, kind, host, "asa" AS source, cast(map_get(attributes, "syslog_message"), "string") AS syslog_message, "asa_teardown" AS sourcetype;
| SELECT id, timestamp, kind, host, "asa" AS source, cast(map_get(attributes, "syslog_message"), "string") AS syslog_message, "asa_teardown" AS sourcetype FROM read_splunk_firehose() WHERE match_regex(cast(map_get(attributes, "syslog_message"), "string"), /.*teardown.*outside.*inside/i);
The only difference between the two is that one starts with FROM and the other starts with SELECT.
Regardless of which clause you use to start a pipeline with, to use the optional clauses you must specify the clauses in a specific hierarchical order. See "Order of clauses" on this page.
The required syntax is in bold.
- FROM <source_function>
- [ WHERE ( <predicate-expression> [<logical-operator> <predicate-expression>] ) ... ]
- [ SELECT <expression> [, <expression>] ... ]
- Syntax: <source_function>
- Description: The source function to retrieve the data from. For a list of available source functions, see source functions.
- Syntax: WHERE <predicate-expression> [<logical-operator> <predicate-expression>...]
- Description: Use the
WHEREclause to filter the incoming data. The
WHEREclauses uses predicate expressions to filter your data by narrowing down the records based on specified criteria. When specifying multiple predicate expressions, you must specify a logical operator between the expressions. For information about and examples of the types of predicate expressions you can specify, see Predicate expressions in the SPL2 Search Manual. The
WHEREclause does not support wildcards in the <predicate-expression>, except for the percent sign ( % ) with the
LIKEoperator. Alternatively, instead of using the WHERE clause, you can also choose to use the Where function downstream in your pipeline.
- Default: None
- Syntax: SELECT <expression> [ AS <field> [,<expression> [AS <field>] ]... ]
- Description: Use the
SELECTclause to assign alternative names to fields or apply scalar functions to a group of fields. The <expression> can be any expression. See Types of expressions in the SPL2 Search Manual. Alternatively, instead of using the SELECT clause, you can also choose to use the Select function downstream in your pipeline.
- Default: None
Order of clauses
There is a hierarchy to the
from function clauses. You can skip clauses, but the clauses you use when building or editing a pipeline must follow the hierarchy.
The hierarchy depends on whether you start the
FROM clause or the
|FROM clause hierarchy||SELECT clause hierarchy|
Examples of common use cases follow.
1. Reads data from the Forwarders Service source function
| FROM forwarders("forwarders:all") |...;
2. Reads data from the Splunk DSP Firehose and filters for records with a syslog sourcetype
| FROM splunk_firehose() WHERE source_type="syslog" |...;
3. Reads data from the Splunk DSP Firehose, filters for records with the webaccess sourcetype, and only keeps the host and timestamp fields
| SELECT host, timestamp FROM splunk_firehose() WHERE source_type="webaccess" | ...;
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2