thru command syntax details
Syntax
The SPL2 thru command supports different syntaxes in different product contexts.
Syntax for searches
In searches, the thru command enables you to specify whether to append results to or replace results in the specified dataset.
The required syntax is in bold.
- thru
- [mode = (append | replace)]
- <dataset>
Syntax for pipelines
In pipelines, the thru command is used for data routing, and the routed copy of the data is always appended to the destination dataset.
The required syntax is in bold.
- thru
- [
- [<additional-SPL2-commands>]
- | into <$destination>
- ]
The outermost square brackets [ ] are required.
Required arguments
The required arguments are different in each product context.
Searches
- dataset
- Syntax: <dataset>
- Description: The name of the dataset to write the search results to.
Pipelines
- destination
- Syntax: into <$destination>
- Description: The name of a parameter, which must be preceded by the
intocommand. The parameter refers to the destination dataset specified in the pipeline settings, and determines which destination dataset the routed copy of data is written to.
Optional arguments
Searches
- mode
- Syntax: mode=(append | replace)
- Description: Specifies whether the search results are appended to the existing data in the dataset or replace the data in the dataset.
- Default: append
Pipelines
- additional SPL2 commands
- Syntax: <additional-SPL2-commands>
- Description: One or more SPL2 commands to process the data before it is routed to the <$destination>. See the Pipeline example on the thru command examples topic.
See also
- thru command
- thru command overview
- thru command usage
- thru command examples
Last modified on 09 January, 2025
| thru command overview | thru command usage |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!