Splunk® Cloud Services

SPL2 Search Reference

thru command usage

The thru command is new in SPL2. Like the into command, the thru command replaces the outputlookup command.


The dataset that you specify with the thru command must be a dataset that can be written to.

The default is mode=append, however not all built-in datasets support the mode options.

  • The main dataset does not support either the append or replace modes. This means you cannot use the thru command to write data to the main dataset.
  • The actions dataset is a built-in splv1sink kind of dataset that is used to interact with the Actions service. The actions dataset does not support the replace mode because actions that have already been invoked can't be uninvoked. For example, you can't unsend an email. However you can append data to the actions dataset.

The following table lists the built-in datasets and the thru command modes that each dataset supports.

Build-in datasets Dataset kind Supported modes
main index none
metrics metric none
actions splv1sink mode=append
geo.hex lookup none
geo.iplocation lookup none
catalog.* catalog none
catalog.metrics catalog none
ingest.events splv1sink mode=append
ingest.metrics splv1sink mode=append

See also

thru command
thru command overview
thru command syntax details
thru command examples
Last modified on 20 October, 2020
thru command syntax details   thru command examples

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters