Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

from command usage

The from command is a generating command, which means that it generates events or reports from one or more datasets without transforming the events.

Generating commands use a leading pipe character and should be the first command in a search. A unique feature of the from command is that you can start a search with the FROM clause or the SELECT clause.

Hierarchy of clauses

There is a hierarchy to the from command clauses. You can skip clauses, but the clauses you use in your search must follow the hierarchy.

The hierarchy depends on whether you start the FROM clause or the SELECT clause.

FROM clause hierarchy SELECT clause hierarchy
  • FROM
    • JOIN
      • WHERE
        • GROUP BY
          • SELECT | SELECT DISTINCT
            • HAVING
              • ORDER BY
                • LIMIT
                  • OFFSET
  • SELECT | SELECT DISTINCT
    • FROM
      • JOIN
        • WHERE
          • GROUP BY
            • HAVING
              • ORDER BY
                • LIMIT
                  • OFFSET

If you have a search that only has the FROM and ORDER BY clauses, you can add any of the clauses lower in the hierarchy after ORDER BY to your search.

You cannot add any of the clauses higher in the hierarchy than ORDER BY to the end of your search. To include a clause higher in the hierarchy, you must insert the clause in its proper order.

For example, suppose you have this search:

|FROM <dataset> ORDER BY <field> DESC

You can add the LIMIT or OFFSET clause after the ORDER BY. However, to add the WHERE clause, you must insert it between the FROM clause and the ORDER BY clause in your search.

Using dataset literals

A dataset literal is a temporary dataset that you type into your search criteria.

You can use a dataset literal anywhere you specify a dataset name, such as in generating commands like from and union.

Here's an example of using a dataset literal with the from command:

|FROM [ { "state": "Washington", "abbreviation": "WA", "population": 7535591 }, { "state": "California", "abbreviation": "CA", "population": 39557045 }, { "state": "Oregon", "abbreviation": "OR", "population": 4190714 } ]

This search returns these results:

_time abbreviation population state
5/14/2020 3:47:52.000 PM WA 7535591 Washington
5/14/2020 3:47:52.000 PM CA 39557045 California
5/14/2020 3:47:52.000 PM OR 4190714 Oregon

For more information see Dataset literals in the SPL2 Search Manual.

Using the repeat() dataset function

You use the the repeat() function with the from command to create events in a temporary dataset. The repeat() function is often used to create events for testing. For example, you can create a dataset with empty events, events with hourly or daily timestamps, or events with field-value pairs.

For more information and examples, see repeat dataset function

Aliases do not appear in search results

When you use the JOIN clause, the aliases you specify in the search are not propagated to the search results. For example, consider this search:

| SELECT m.srcip, m._time, m.bytes, user.department, user.username FROM main AS m JOIN users AS user ON m.uid = user.id

Because the aliases are not preserved, the fields returned are srcip, _time, bytes, department, and username.

Lexicographical order

The ORDER BY clause in the from command uses lexicographical order. Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.

  • Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
  • Uppercase letters are sorted before lowercase letters.
  • Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.

For examples of how lexicographical order is different than alphanumeric order, see Lexicographical order in the SPL2 Search Manual.

Differences between SPL and SPL2

The from command in SPL2 is substantially different than the from command in SPL.

Datasets no longer need to be qualified

Version Example 1 Example 2
SPL | from savedsearch:my_search Not supported
SPL2 | from my_search | from main (where main is an index)

Datasets can be filtered

Datasets can be filtered using the where clause.

Version Example
SPL Not supported. You would need add the the where command to the search to accomplish this.
SPL2 | from my_search where field="value"

Datasets can be sorted

Datasets can be sorted using the ORDER BY clause.

Version Example
SPL Not supported. You would need add the sort command to the search to sort the dataset.
SPL2 | from 1559332447_548 order by DESC status

(This is a dataset generated from a search ID (sid).

Datasets can be projected

Datasets can be projected using the GROUP BY clause.

Version Example
SPL Not supported. You would need add a command that includes a BY clause to the search to accomplish this.
SPL2 | FROM main GROUP BY host


See also

from command
from command overview
from command syntax details
from command examples
Last modified on 23 February, 2021
PREVIOUS
from command syntax details
  NEXT
from command examples

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters