Splunk® Cloud Services

SPL2 Search Manual

SPL2 views

An SPL2 view is a reusable, named piece of SPL2.

How are views related to searches?

Consider the following SPL2 search statement:

$countByHost = from main | stats count() by host

  • The search name is $countByHost.
  • The search is from main | stats count() by host.

The search name is a variable, as designated by the dollar sign ( $ ). When you reference the variable name in other statements in your module you are using that reusable, named piece of SPL2, the view.

The view name is the search name.

This image shows the text "search name = view name".

A view consists of a name and definition. The view definition is the piece of reusable SPL2. As shown in the following image, the search statement is the view definition:

This image shows text that says the search name is the view name and the search is the view definition.

What happens when you use a view

Let's look at the search statement again. The countByHost search returns a list of the host values in ascending order. For each host, a count is returned. The count is the number of events in the main index with that host value.

$countByHost = from main | stats count() by host

In the following example, the view name $countByHost is used as the dataset in the tophosts search:

$tophosts = from $countByHost | sort - count | head 3

When the $tophosts search is run, the $countByHost view is called and resolved as part of the search. The view definition replaces the view name and internally the search that's run looks like this:

$tophosts = from main | stats count() by host | sort - count | head 3

The previous example shows how to use a view inside the same module. To use a view outside of the module where the view is defined, you must export the view. Learn more about exporting views later in this topic.

Why views are so useful

Views are similar to macros. With views, you can reuse a piece of SPL2 in one or more searches. For example, you can:

  • Use a view as a base search to extend or branch your SPL2 searches.
  • Use a view as a filter on multiple searches.

Base search example

The following example is an excerpt from a module which show a view, called base_search, that is used in other searches to extend or branch the original base search. You specify the view name where you specify a dataset: 

// BASE SEARCH THAT RETURNS SUCCESSFUL EVENTS
$base_search = from sample_events where status=200 

// CHILD SEARCH THAT RETURNS CATEGORIES WHICH START WITH "S" FROM THE WWW4 HOST
$child = from $base_search  
where categoryId LIKE("S%") AND host="www4" 
select _time, action, productId, categoryId

// BRANCH SEARCH THAT RETURNS A SUM OF BYTES BY HOST, RENAMES THE CALCULATED FIELD
$branch = from $base_search
| stats sum(bytes) AS 'Sum of bytes' BY host

For more information using views as a base search, see Extend and branch SPL2 search statements.

Pipeline example

A pipeline is a special type of SPL2 search statement used with the Splunk Edge Processor solution and Splunk Ingest Processor solution. When run, an SPL2 pipeline processes data and either drops or sends the data instead of returning search results. Pipelines specify what data to process, how to process it, and what destination to send the processed data to.

Suppose have a situation where you don't want to use a pipeline to send data from a source dataset directly into a destination dataset. You want to filter the dataset, using the same filter on multiple source datasets, before the data goes into a destination dataset.

You can create a view that performs the filtering steps and reuse that view on different pipelines.

Here is a view that performs a filter:

$myfilter = | select a, b | eval c = "darat" | into mystore

You can call this view in a pipeline:

$pipeline = | from [{a,b,c,d,e}] | into $myfilter


Exporting views from a module

To use a view outside of the module in which the view is defined, you must export the view. For more information about exporting, see Exporting module items using SPL2.

To use the view in another module, you must import that view so that the view is in scope in the module where you want to use it. For more information about importing, see Importing module items and datasets using SPL2.

See also

Related information
Modules and SPL2 statements
Datasets
Extend and branch search statements
Last modified on 19 November, 2024
Modules and SPL2 statements   Extend and branch SPL2 search statements

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters