Splunk® Cloud Services

SPL2 Search Reference

into command: Examples

The following are examples for using the SPL2 into command. To learn more about the into command, see How the SPL2 into command works.

1. Append search results to a dataset

Append the search results to the mytable dataset, which is a lookup kind of dataset.

... | into mode=append mytable

2. Pipeline examples

These examples show how to use the into command in a pipeline.

Use a pipeline to send data to a destination

The following pipeline selects a subset of the data received by the Edge Processor or Ingest Processor and then sends the data to a destination, such as an index or Amazon S3 bucket. The $destination parameter refers to the destination dataset specified in the pipeline settings. 

$pipeline = | from $source 
| into $destination

Mask sensitive information using a pipeline

The following pipeline replaces the credit card numbers in the _raw field with the word "<redacted>". The pipeline then sends the masked data to a destination. 

$pipeline = | from $source 
| eval _raw=replace(_raw, /[1-5][0-9]{15}/i, "<redacted>") 
| into $destination

Send pipeline data to separate destinations

The following example uses the branch command to make 2 complete copies of the incoming data and send the data into different destinations.

  • For the first copy, the data is sent to an existing index named buttercup in a cisco_syslog destination.
  • For the second copy, the IP addresses are obscured by using the hashing function, sha256, and then the data is sent to an Amazon S3 destination.
$pipeline = | from $source 
| branch
[ | eval index="buttercup" | into $cisco_syslog_destination],
[ | eval ip_address = sha256(ip_address) | into $aws_s3_destination]

See also

into command
into command: Overview, syntax, and usage
Pipelines
Edge Processor pipeline syntax in the Use Edge Processors manual
Ingest Processor pipeline syntax in the Use Ingest Processors manual
Last modified on 10 April, 2025
into command: Overview, syntax, and usage   join command: Overview, syntax, and usage

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters