spl1 command overview
spl1 command embeds all or part of an SPL search into an SPL2 search. There are some limitations using this command. See spl1 command usage.
spl1 command supports two syntaxes.
- Backtick character syntax
- Enclose the SPL search in backtick ( ` ) characters. The syntax is:
- Use the
spl1command explicitly and enclose the SPL search in double quotation marks, The syntax is:
- spl1 "<SPL-search>"
How the SPL2 spl1 command works
Use the SPL2
spl1 command when a command is not supported in SPL2.
For example, while the
makeresults command is not supported in SPL2 you can use the
spl1 command to run a search with the
$makeresults1 = `makeresults count=3`
This search uses the
$makeresults2 = | spl1 "makeresults count=3"
This search uses the explicit
In SPL, the default index is
main and when you run a search, the search is run against the
However, there is no default index in SPL2. To run a search against a specific index, you must specify that index.
Here's an example:
error OR http_code=404
This search looks for the term
$error1 = from main | `search error OR http_code=404`
There is no default dataset with SPL2. The easiest way to identify the dataset is with the SPL2
$error2 = from main | spl1 "search error OR http_code=404"
This is the same search using the explicit
$error3 = `search index=main error OR http_code=404`
Alternatively, you can add the index to the
- Related information
- Differences between SPL and SPL2
sort command examples
spl1 command syntax details
This documentation applies to the following versions of Splunk® Cloud Services: current