SPL2 Command Quick Reference
The following commands are supported in SPL2. Use the links in the table to see the command syntax, examples, and usage information.
|bin||Puts continuous numerical values into discrete sets, or bins.||Example: Return the average for a field for a specific time span. Bin the search results using a 5 minute time span on the |
|branch||Processes one set of events or search results, in parallel, in two or more branches. Each branch must end with the
||Example: Read the events in the |
|dedup||Removes the events that contain an identical combination of values for the fields that you specify.||Example: Remove duplicates of results with the same |
|eval||Calculates an expression and puts the resulting value into a search results field.||Example: Create a new field that contains the result of a calculation. Create a new field called |
|eventstats||Generates summary statistics from fields in your events and saves those statistics into a new field.||Example: Calculate an average for each distinct value of the |
|expand||Produce a separate result row for each object in an array that is in a field.||Example: Expand the array in the bridges field. Here is the event before the field is expanded:
Here are the results after the
|fields||Keeps or removes fields from search results based on the list of fields that you specify.||Example: Specify a list of fields to include in the search results. Return only the |
|fieldsummary||Calculates summary statistics for one or more fields in your events, displayed as a results table.||Example: Return the summary statistics for all incoming fields.
|flatten||Converts the key-value pairs in the object into separate fields in an event. Flattens only the first level of an object.||Example: Flattens the values in the bridges object into separate fields.
The results look like this:
|from||Retrieves data from a dataset, such as an index, metric index, lookup, view, or job.
|Example: Return data from the |
|head||Returns the first N number of specified results in search order.||Example: Stop searching when a null value is encountered. This example returns results while |
|into||Sends results to a dataset that is writable, a dataset sink. Appends or replaces the dataset sink in the search data pipeline.||Example: Append the search results to the |
|join||Combines the results from two datasets by using one or more common fields.||Example: Join datasets on fields that have the same name. Combine the results from a search with the |
|lookup||Invokes field value lookups.||Example: Put corresponding information from a lookup dataset into your events.
Append the data returned from your search results with the data in the
|mvexpand||Expands the values of a multivalue field into separate events, one event for each value in the multivalue field.||Example: Expand the values in the |
|rename||Renames one or more fields.||Example: Rename a field with special characters. Rename the |
|reverse||Reverses the order of the search results.||Example:
|rex||Use to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions.||Example: Extract values from a field using a <regex-expression>. Extract |
If the contents of the field is
|search||Retrieve events from indexes or filter the results of a previous search command in the pipeline.||Example: Search for a field-value pair for a specific source IP, |
|select||See the from command. The SELECT clause is part of the
||Example: Calculate the sum of the bytes field. Return the sum and the host fields from the |
|sort||Sorts all of the results by the specified fields.||Example: Sort the results first by the |
|spl1||Embed all or part of an SPL search into an SPL2 search. The
||Example: Consider this SPL search:
Embed this search into an SPL2 search using the backtick ( ` ) character syntax:
|stats||Calculates aggregate statistics such as average, count, and sum, over the results set.||Example: Take the incoming result set and calculate the |
|streamstats||Adds a cumulative statistical value to each search result as each result is processed.||Example: Use a <by-clause> to add a running count to search results. This search uses the |
|thru||Writes data to a writeable dataset and then passes the same data to the next command in the search string. By default, the thru command appends data to the dataset.||Example: Append all the incoming search result set to the |
|timechart||Creates a time series chart with corresponding table of statistics.||Example: For each minute, calculate the average value of the |
|timewrap||Compare data over a specific time period, such as day-over-day or month-over-month, or multiple time periods, such as a two week period over another two week period.||Example: Display a timechart that has a span of 1 day for each count in a week over week comparison table. Each table column, which is the series, is 1 week of time.
|union||Merges the results from two or more datasets into one dataset. One dataset can be piped into the
||Example: Merge events from the customers, orders, and vendors datasets. You must separate the dataset names with a comma.
|where||Filters search results based on the outcome of a Boolean expression.||Example: Use the |
- Other Quick References
- SPL2 eval functions Quick Reference
- SPL2 stats and chart functions Quick Reference
- Related information
- Understanding SPL2 Syntax
Documenting custom functions
bin command overview
This documentation applies to the following versions of Splunk® Cloud Services: current