Splunk® Cloud Services

SPL2 Search Reference

spl1 command examples

The following are examples for using the SPL2 spl1 command. To learn more about the spl1 command, see How the SPL2 spl1 command works.


Searches that use the implied search command

In the SPL, the search command is implied at the beginning of some searches, such as searches that start with a keyword or a field-value pair. In SPL2 the search command must be explicitly specified.

Unless your SPL search begins with a generating command like inputlookup, makeresults, mstats, or tstats, you must include the search command when you use the spl1 command.

Here's an example:

Version Example
SPL search
index=sample_data_index action=purchase 

This SPL search starts with the implied search command and is comprised of two field-value pairs.

SPL2 search
$example1= | `search index=sample_data_index action=purchase`

In this SPL2 search, the search command is explicitly added to the SPL search and the search uses the backtick ( ` ) character syntax.

SPL2 search
$example2 = | spl1 "search index=main action=purchase"

In this SPL2 search, the search command is explicitly added to the SPL search and the search uses the explicit spl1 command syntax.

Using the spl1 command with only the unsupported portion of the SPL search

For many SPL searches, you can convert most of the search to SPL2. For the portion of the SPL search that you can't convert you can use the spl1 command.

The following example shows how to convert an SPL search into SPL2 and how to use the spl1 command for the addinfo command, which is not supported in SPL2.

Version Example
SPL search
index=sample_data_index | stats sum(bytes) BY host | addinfo
SPL2 search
$example1 = from sample_data_index | stats sum(bytes) BY host | `addinfo`  

In this SPL2 search, the portion of the search not supported by SPL2 uses the backtick ( ` ) character syntax.

SPL2 search
$example2 = from sample_data_index | stats sum(bytes) BY host | spl1 "addinfo"

In this SPL2 search, the portion of the search not supported by SPL2 uses the explicit spl1 command syntax.

When to include the index in your search

In the SPL2 search, there is no default index. You must specify the index either before or within the spl1 command portion of the search. Where you specify the index depends on the search you are using with the spl1 command:

  • If the SPL search starts with non-generating command, such as search, you can specify the index either before or within the spl1 command portion of the search.
  • If the search starts with generating command, such as tstats, you must add the index to the spl1 command portion of the search.

In the following example, the SPL search assumes that you want to search the default index, main. To use this search in SPL2, you can specify the index either before or within the spl1 command portion of the search.

Version Example
SPL search
status=200 action=purchase 
| stats count BY clientip 
SPL2 search
$before_spl1 = from sample_data_index | `search status=200 action=purchase 
| stats count BY clientip `
SPL2 search
$within_spl1 = | `search index=sample_data_index status=200 action=purchase 
| stats count BY clientip`

Some generating commands, such as tstats and mstats, include the ability to specify the index within the command syntax.

In the following example, the SPL search assumes that you want to search the default index, main. In the SPL2 search, there is no default index. You must specify the index in the spl1 command portion of the search.

Version Example
SPL search
| tstats prestats=t count  BY _time span=1d | timechart span=1d count
SPL2 search
$tstats1 = `| tstats prestats=t count where index=main BY _time span=1d | timechart span=1d count`

Searches that contain quotation marks

When your SPL search contains quotation marks, it is easier to use the spl1 command backtick ( ` ) character syntax. When you use the explicit spl1 command syntax, you must escape the quotation marks.

The following example shows the difference between the backtick ( ` ) character syntax and the explicit spl1 command syntax:

Version Example
SPL search
|status=200 action=purchase | stats count AS "Total Purchased"
SPL2 search
$quotes1 = from sample_data_index
| `search status=200 action=purchase 
| stats count AS "Total Purchased" `

In this SPL2 search, the search uses the backtick ( ` ) character syntax.

SPL2 search
$quotes2 = from sample_data_index
| spl1 "search status=200 action=purchase 
| stats count AS \"Total Purchased\" " 

In this SPL2 search, you must escape the quotation marks because the explicit spl1 command syntax is used.


See also

spl1 command
spl1 command overview
spl1 command syntax details
spl1 command usage
Last modified on 31 January, 2024
spl1 command usage   stats command overview

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters