thru command: Overview, syntax, and usage
The SPL2 thru command writes data to a writeable dataset and then passes the same data to the next command in the search string. By default, the thru command appends data to the dataset.
Use these links to quickly navigate to the main sections in this topic:
Syntax
The SPL2 thru command supports different syntaxes in different product contexts.
Syntax for searches
In searches, the thru command enables you to specify whether to append results to or replace results in the specified dataset.
The required syntax is in bold.
- thru
- [mode = (append | replace)]
- <dataset>
Syntax for pipelines
In pipelines, the thru command is used for data routing, and the routed copy of the data is always appended to the destination dataset.
The required syntax is in bold.
- thru
- [
- [<additional-SPL2-commands>]
- | into <$destination>
- ]
The outermost square brackets [ ] are required.
Required arguments
The required arguments are different in each product context.
For searches
- dataset
- Syntax: <dataset>
- Description: The name of the dataset to write the search results to.
For pipelines
- destination
- Syntax: into <$destination>
- Description: The name of a parameter, which must be preceded by the
intocommand. The parameter refers to the destination dataset specified in the pipeline settings, and determines which destination dataset the routed copy of data is written to.
Optional arguments
For searches
- mode
- Syntax: mode=(append | replace)
- Description: Specifies whether the search results are appended to the existing data in the dataset or replace the data in the dataset.
- Default: append
For pipelines
- additional SPL2 commands
- Syntax: <additional-SPL2-commands>
- Description: One or more SPL2 commands to process the data before it is routed to the <$destination>. See the Pipeline example in the thru command examples topic.
Usage
The thru command is new in SPL2. Like the into command, the thru command replaces the outputlookup command.
The dataset that you specify with the thru command must be a dataset that can be written to.
The default is mode=append, however not all built-in datasets support the mode options.
- The
maindataset does not support either theappendorreplacemodes. This means you cannot use thethrucommand to write data to themaindataset. - The
actionsdataset is a built-in splv1sink kind of dataset that is used to interact with the Actions service. Theactionsdataset does not support thereplacemode because actions that have already been invoked can't be uninvoked. For example, you can't unsend an email. However you can append data to theactionsdataset.
The following table lists the built-in datasets and the thru command modes that each dataset supports.
| Build-in datasets | Dataset kind | Supported modes |
|---|---|---|
| main | index | none |
| metrics | metric | none |
| actions | splv1sink | mode=append |
| geo.hex | lookup | none |
| geo.iplocation | lookup | none |
| catalog.* | catalog | none |
| catalog.metrics | catalog | none |
| ingest.events | splv1sink | mode=append |
| ingest.metrics | splv1sink | mode=append |
See also
- thru command
- thru command: Examples
- Pipelines
- Process a copy of data using an Edge Processor
- Process a copy of data using Ingest Processor
- Related information
- into command overview
| streamstats command: Examples | thru command: Examples |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!