Splunk® Cloud Services

SPL2 Search Reference

spl1 command usage

You use the spl1 command to include SPL searches, or parts of searches, in your SPL2 searches. The spl1 command enables you to use SPL commands that are not directly supported with SPL2.

SPL commands supported with the spl1 command

In SPL2 searches, you can use the following SPL commands with the spl1 command:

  • actions
  • addinfo
  • append
  • appendcol
  • apply
  • bin
  • cluster
  • convert
  • dedup
  • eval
  • eventsingest
  • eventstats
  • fields
  • fieldsummary
  • fillnull
  • fit
  • foreach
  • head
  • inputlookup
  • iplocation
  • join
  • lookup
  • makeresults
  • mcatalog
  • metadata
  • metricsingest
  • mstats
  • mvcombine
  • mvexpand
  • multireport
  • noop
  • outputlookup
  • regex
  • rename
  • reverse
  • rex
  • savedsearch
  • search
  • selfjoin
  • sistats
  • sort
  • spath
  • stats
  • streamstats
  • table
  • tags
  • tail
  • timechart
  • timeliner
  • timewrap
  • transaction
  • tstats
  • tojson
  • top
  • typer
  • untable
  • union
  • where
  • xyseries
  • Searches that use the implied search command

    For some SPL searches, you must add the search command when you use the spl1 command.

    In the SPL, the search command is implied at the beginning of some searches, such as searches that start with a keyword or a field-value pair. Unless your SPL search begins with a generating command like inputlookup, makeresults, mstats, or tstats, you must include the search command when you use the spl1 command. See spl1 command examples.

    When to include the index in your search

    In an SPL2 search, there is no default index. You must specify the index that you want to search either before or within the spl1 command portion of the search. See spl1 command examples.

    Searches that contain quotation marks

    When your SPL search contains quotation marks, it is easier to use the spl1 command backtick ( ` ) character syntax. When you use the explicit spl1 command syntax, you must escape the quotation marks. See spl1 command examples.

    Searches with macros or subsearches

    You can't use the spl1 command with SPL searches that contain macros or subsearches.

    See also

    spl1 command
    spl1 command overview
    spl1 command syntax details
    spl1 command examples
    Last modified on 28 April, 2022
    spl1 command syntax details   spl1 command examples

    This documentation applies to the following versions of Splunk® Cloud Services: current

    Was this topic useful?

    You must be logged into splunk.com in order to post comments. Log in now.

    Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

    0 out of 1000 Characters