Splunk® Cloud Services

SPL2 Search Manual

Start searching using SPL2

You're probably asking yourself, "So how do I start searching my data?"

You start with a decision. You need to ask yourself if you prefer to search using SQL-like commands or if you prefer to search using internet-like keywords.

This image shows a decision tree diagram. If you need to combine datasets, use the union command. If you know SQL, use the from command. If you already know SPL and are familiar with SQL, use the from command. If you are familiar with SPL but not SQL, use the search command. If you are not familiar with SQL or SPL, use the from command.


You start a search with the pipe ( | ) character followed by a generating command.

The Search Processing Language (SPL) is based on commands separated by the pipe character ( | ). SPL is easy to write and read because you append one command after the other, rather than adding deeper and deeper nesting used by some search languages.

Start with a generating command

Your search must start with a generating command, which are commands you use to generate search results from your data. The generating commands are from, search, and union.

The following table describes when to use each generating command:

from command search command union command
  • Not familiar with SQL or SPL? Start with the from command.
  • Already familiar with SQL? Use the from command. It's similar to the SQL SELECT.
  • The from command is the most commonly used SPL2 generating command.
  • Familiar with SPL? Start with the search command.
  • Use the search command when you need to search more than one index.
  • Use the union command to combine two datasets together.
  • With the from command, you use SQL-like clauses such as SELECT, WHERE, GROUP BY, and ORDER BY.
  • With the search command, you use keywords and field-value pairs.
  • You can use the TERM() directive to match a single term, even if the term contains characters such as periods or underscores.

After you identify the generating command that you want to use, you must determine which dataset you want to search.

Next step

See What's a dataset.

Last modified on 23 August, 2022
Introduction   What's a dataset?

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters