Splunk® Cloud Services

SPL2 Search Manual

Importing module items and datasets using SPL2

You can import items such as views, custom functions, and custom data types into your modules if those items have been exported from their source module. See Exporting module items using SPL2.

You can also import datasets, such as indexes and lookups, into a module from their source.

When you add an import statement to a module, you are not physically importing an item into the module. Instead, you are adding a pointer to an item that resides in another module or namespace. When you use the item in a statement, the item is retrieved from the source.

Import requirements

To import an item, you must have three things:

  • Access to the source module where the item was exported from, or access to the dataset.
  • The name of the item.
  • The name of the source module or dataset.

Import statement syntax

The import statement syntax is:

syntax 

import <item_name> from <source_name>

Specifying the path

Depending on the source location of the item you want to import, you might need to specify a path in your import statement. You can specify either the fully qualified path to the item or use the relative path, based on your current, destination module.

See Specifying import paths.

Import a single item

As shown in the following image, the search $purchases is exported from the module Quarterly Purchases. The search is exported as a view, with the name purchases.

This image shows a namespace that includes two modules. The "Quarterly Purchases" module has a search statement called $purchases. The "$purchases" search statement has been exported as a view called "purchases". The "purchases" view is imported into the "annual purchases" module.

To import this view into your current module, annual_purchases, you use this import statement:

example 

import purchases from 'Quarterly Purchases'

Since the source module and the destination module are in the same namespace, there is no need to specify a path to the source module. You only need to specify the name of the source module. Because the module name contains a space, you must enclose the name in single quotation marks.

Import multiple items

You can import multiple items with one import statement, as long as all of those items come from the same source module or namespace.

When you specify multiple items, you must enclose the list of items in curly brackets { }.

The import statement syntax is:

syntax 

import {<item_name>, <item_name>, ...} from <source_name>

The following image shows a namespace that includes two modules, Quarterly Purchases and annual_purchases.The Quarterly Purchases module contains three search statements: $purchases, $qtr1_purchases, and $qtr1_errors. The module also contains a function statement called isError.

The $purchases and $qtr1_errors search statements have been exported as views. The isError function statement has also been exported. The purchases view, the qtr1_errors view, and the isError function are imported into the annual_purchases module.

This image shows a namespace that includes two modules. In the first module, two of the three search statements and a function have been exported. The exported items have been imported into the other module, as described by the text before the image.

For example, to import two searches and a function that were exported from the Quarterly Purchases module, use this import statement:

example 

import {purchases, qtr1_errors, isError} from 'Quarterly Purchases'

Alternatively, you can issue separate import statements for each item. When you place the import statements on different lines, you do not need to enclose the import statements in curly brackets { }. For example:

example 

import purchases from 'Quarterly Purchases'
import qtr1_errors from 'Quarterly Purchases'
import isError from 'Quarterly Purchases'

Importing items from different modules

To import items from different modules, use separate import statements. For example:

example 

import $metrics from biz_set_1   // A view
import count_sigfig_threats from biz_set_2  // A custom function

Import all items

You can use a single statement to import all of the items that have been exported from a specific module. The basic syntax is:

syntax 

import * from <source-module>

Consider the following portion of the biz_set_1 module from which four statements are exported. These statements are designed to be shared with various teams:

biz_set_1 module 

export $top10threats  // A search exported as a view
export $metrics  // A search exported as a view
export isError  // A custom function
export roundif  // A custom function

You can import all of these items into the a-team module by using a bulk single import statement.

A bulk import statement uses a wildcard character ( * ) to import all of the items exported from the module you specify. For example:

a-team module 

import * from biz_set_1

You can use these imported items in the a-team module. For example, you can use the top10threats view dataset and the roundif custom function as shown in the following search, $search1:

a-team module 

import * from biz_set_1
$search1 = FROM top10threats SELECT score, roundif(score, 3) as newscore

Importing all items from multiple modules

You can import all of the items from different modules using separate bulk import statements. Using import * imports only the exported items from those modules. For example:

a-team' module 

import * from biz_set_1
import * from biz_set_2

Naming conflicts might occur if items from different modules have the same name. See Naming conflicts when importing items.

Import indexes and other datasets

The kinds of datasets that you can import are:

  • Indexes
  • Lookups
  • Saved searches
  • Views

The datasets inside a namespace are automatically available to every module in that namespace. Those datasets do not need to be imported into modules in that namespace.

For datasets that reside in another namespace, such as the built-in namespaces used for indexes and apps, you must:

  • Have access to those datasets before you can import the datasets into a module.
  • Specify the path to the dataset.

For example, to import a specific index, such as the main index, use the following syntax:

syntax 

import <index_name> from ../../../../indexes

For more information about namespaces, see Understanding SPL2 namespaces.

Import examples

When you use an import statement, it's important that you specify the correct path to the item you want to import. See Specifying import paths.

The following table shows examples of common import statements:

Type of import Example
Import a specific index import main from ../../../../indexes
Import all indexes import * from ../../../../indexes
Import all lookups into the target application import * from /apps.<app_name>.lookups
Import a specific lookup into the target application import my_lookup from /apps.<app_name>.lookups
Import a specific lookup that contains a special character, such as a dot ( . ) character. import 'my.lookup' from /apps.<app_name>.lookups
Import all lookups into the target application using an alias called "address". import * as address from /apps.<app_name>.lookups



To invoke this lookup use:
... | lookup address.my_lookup CustID as cid OUTPUT CustAddress as cAddress


See also

Related information
Specifying import paths
Naming conflicts when importing items
Scope and precedence importing items
Exporting module items using SPL2
Understanding SPL2 namespaces
Related reference
Custom eval functions in the SPL2 Search Reference
Custom command functions in the SPL2 Search Reference
Custom data types in the SPL2 Search Reference
Last modified on 11 February, 2025
Exporting module items using SPL2   Naming conflicts when importing items

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters