Splunk® Cloud Services

SPL2 Search Reference

spl1 command overview

The spl1 command embeds all or part of an SPL search into an SPL2 search. There are some limitations using this command. See spl1 command usage.

Syntax

The spl1 command supports two syntaxes.

Backtick character syntax
Enclose the SPL search in backtick ( ` ) characters. The syntax is:

`<SPL-search>`
Explicit spl1 command syntax
Use the spl1 command explicitly and enclose the SPL search in double quotation marks, The syntax is:

spl1 "<SPL-search>"

How the SPL2 spl1 command works

Use the SPL2 spl1 command when a command is not supported in SPL2.

For example, while the makeresults command is not supported in SPL2 you can use the spl1 command to run a search with the makeresults command:

Version Example
SPL search
makeresults count=3
SPL2 search
$makeresults1 = `makeresults count=3`

This search uses the spl1 command backtick ( ` ) character syntax.

SPL2 search
$makeresults2 = | spl1 "makeresults count=3"

This search uses the explicit spl1 command syntax.

In SPL, the default index is main and when you run a search, the search is run against the main index. However, there is no default index in SPL2. To run a search against a specific index, you must specify that index.

Here's an example:

Version Example
SPL search
error OR http_code=404

This search looks for the term error and the field-value pair http_code=404 in the default index, main.

SPL2 search
$error1 = from main | `search error OR http_code=404`

There is no default dataset with SPL2. The easiest way to identify the dataset is with the SPL2 from command. This search uses the spl1 command backtick ( ` ) character syntax.

SPL2 search
$error2 = from main | spl1 "search error OR http_code=404"

This is the same search using the explicit spl1 command syntax.|-

SPL2 search
$error3 = `search index=main error OR http_code=404` 

Alternatively, you can add the index to the search command.

See also

spl1 command
spl1 command syntax details
spl1 command usage
spl1 command examples
Related information
Differences between SPL and SPL2
Last modified on 31 January, 2024
sort command examples   spl1 command syntax details

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters