SPL2 Command Quick Reference
The following commands are supported in SPL2. Use the links in the table to see the command syntax, examples, and usage information.
|Puts continuous numerical values into discrete sets, or bins.
|Example: Return the average for a field for a specific time span. Bin the search results using a 5 minute time span on the
_time field. Return the average
thruput of each
host for each 5 minute time span.
|Processes one set of events or search results, in parallel, in two or more branches. Each branch must end with the
|Example: Read the events in the
main index dataset into memory one time. Process the events in two branches using subsearches to determine the most popular hosts and sources.
|Removes the events that contain an identical combination of values for the fields that you specify.
|Example: Remove duplicates of results with the same
|Calculates an expression and puts the resulting value into a search results field.
|Example: Create a new field that contains the result of a calculation. Create a new field called
velocity in each event. Calculate the velocity by dividing the values in the
distance field by the values in the
|Generates summary statistics from fields in your events and saves those statistics into a new field.
|Example: Calculate an average for each distinct value of the
date_minute field. The new field
avgdur is added to each event with the average value based on its particular value of
|Produce a separate result row for each object in an array that is in a field.
|Example: Expand the array in the bridges field. Here is the event before the field is expanded:
Here are the results after the
|Keeps or removes fields from search results based on the list of fields that you specify.
|Example: Specify a list of fields to include in the search results. Return only the
src fields from the search results.
|Calculates summary statistics for one or more fields in your events, displayed as a results table.
|Example: Return the summary statistics for all incoming fields.
|Converts the key-value pairs in the object into separate fields in an event. Flattens only the first level of an object.
|Example: Flattens the values in the bridges object into separate fields.
The results look like this:
|Retrieves data from a dataset, such as an index, metric index, lookup, view, or job.
|Example: Return data from the
main index for the last 5 minutes. Group the results by host. Calculate the sum of the bytes field. Return the sum and the host fields where the sum of the bytes is greater than I MB.
|Returns the first N number of specified results in search order.
|Example: Stop searching when a null value is encountered. This example returns results while
action=purchase or the
action field does not exist in the results (
null=true). A maximum of 50 results are returned.
|Sends results to a dataset that is writable, a dataset sink. Appends or replaces the dataset sink in the search data pipeline.
|Example: Append the search results to the
mytable dataset, which is a lookup kind of dataset.
|Combines the results from two datasets by using one or more common fields.
|Example: Join datasets on fields that have the same name. Combine the results from a search with the
vendors dataset. The data is joined on the
product_id field, which is common to both datasets.
|Invokes field value lookups.
|Example: Put corresponding information from a lookup dataset into your events.
Append the data returned from your search results with the data in the
|Expands the values of a multivalue field into separate events, one event for each value in the multivalue field.
|Example: Expand the values in the
|Renames one or more fields.
|Example: Rename a field with special characters. Rename the
ip-add field to
IPAddress. Field names that contain anything other than a-z, A-Z, 0-9, or "_", need single-quotation marks.
|Reverses the order of the search results.
|Use to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions.
|Example: Extract values from a field using a <regex-expression>. Extract
SavedSearchName from a field called
savedsearch_id in scheduler.log events.
If the contents of the field is
|Retrieve events from indexes or filter the results of a previous search command in the pipeline.
|Example: Search for a field-value pair for a specific source IP,
|See the from command. The SELECT clause is part of the
|Example: Calculate the sum of the bytes field. Return the sum and the host fields from the
main index for the last 5 minutes. Group the results by host.
|Sorts all of the results by the specified fields.
|Example: Sort the results first by the
surname field in ascending order and then by the
firstname field in descending order.
|Embed all or part of an SPL search into an SPL2 search. The
spl1 command supports two syntaxes: backtick ( ` ) character syntax and explicit
spl1 command syntax.
|Example: Consider this SPL search:
Embed this search into an SPL2 search using the backtick ( ` ) character syntax:
|Calculates aggregate statistics such as average, count, and sum, over the results set.
|Example: Take the incoming result set and calculate the
sum of the
bytes field and groups the sums by the values in the
|Adds a cumulative statistical value to each search result as each result is processed.
|Example: Use a <by-clause> to add a running count to search results. This search uses the
host field to reset the count. For each search result, a new field is appended with a count of the results based on the host value. The count is cumulative and includes the current result.
|Writes data to a writeable dataset and then passes the same data to the next command in the search string. By default, the thru command appends data to the dataset.
|Example: Append all the incoming search result set to the
actions dataset. Those same search results are also passed into the
|Creates a time series chart with corresponding table of statistics.
|Example: For each minute, calculate the average value of the
CPU field for each
|Compare data over a specific time period, such as day-over-day or month-over-month, or multiple time periods, such as a two week period over another two week period.
|Example: Display a timechart that has a span of 1 day for each count in a week over week comparison table. Each table column, which is the series, is 1 week of time.
|Merges the results from two or more datasets into one dataset. One dataset can be piped into the
union command and merged with a second dataset.
|Example: Merge events from the customers, orders, and vendors datasets. You must separate the dataset names with a comma.
|Filters search results based on the outcome of a Boolean expression.
|Example: Use the
like comparison operator with the percent symbol ( % ) as a wildcard. This example returns all results where the
ipaddress field contains values that start with "192.".
- Other Quick References
- Quick Reference for SPL2 eval functions
- Quick Reference for SPL2 Stats and Charting Functions
- Related information
- Understanding SPL2 Syntax
Documenting custom functions
bin command overview
This documentation applies to the following versions of Splunk® Cloud Services: current