Splunk® Cloud Services

SPL2 Search Reference

into command: Overview, syntax, and usage

The SPL2 into command appends to or replaces the contents of a dataset in the search or pipeline. The dataset must be a writeable dataset.

The into command is a terminating command, which is a command that does not return any search results and must be the last command in your search or pipeline.

Use these links to quickly navigate to the main sections in this topic:

How the SPL2 into command works

The into command works differently in different product contexts:

In searches

Let's start with this search:

FROM main WHERE earliest=-5m@m AND latest=@m GROUP BY host SELECT sum(bytes) AS sum, host HAVING sum > 1024*1024 | into bytesUsage

The following table describes what each command and clause is doing in the search:

Command or clause Description
FROM command Retrieves data from the main dataset.
WHERE clause Specifies to search only the last 5 minutes, starting at the beginning of the minute and stop at the beginning of the current minute.
GROUP BY clause Categorizes the results by the host field.
SELECT clause Uses a calculation to sum the data in the bytes field and place the results in a field called sum. In addition, returns the host field.
HAVING clause Filters the aggregated results to return only the sum of the bytes that are greater than 1 MB.
into command Appends the results to the bytesUsage dataset.

By default, the into command appends search results to a dataset that you have write access to. The mode argument is only valid when the dataset is a lookup kind of dataset. See Dataset kinds in the SPL2 Search Manual.

In pipelines

The into command sends data that was processed upstream in the Edge Processor or Ingest Processor pipeline to a destination dataset. For example, the data can be sent to an index or an Amazon S3 bucket.

Consider the following pipeline: 

$pipeline = | from $source | eval index="main" | into $destination

The following table describes what each command is doing in the pipeline:

Command or clause Description
from command Selects a subset of the data received by the Edge Processor or Ingest Processor. This subset is determined by the partition of the pipeline, which you configure in the pipeline builder.
eval command Sets the value of the index field to main for all of the events in the selected subset of data.
into command Sends the processed data to the destination dataset specified by the pipeline settings, which you configure in the pipeline builder.

Syntax

The SPL2 into command supports different syntaxes in different product contexts.

Syntax for searches

In searches, the into command enables you to specify whether the data is appended or replaced to the dataset.

The required syntax is in bold.

into
[mode = (append | replace)]
<dataset>

Syntax for pipelines

In pipelines, the into command is used to specify which destination dataset to append the data to.

The required syntax is in bold.

| into <$destination>

Required arguments

The required arguments are different in each product contexts.

For searches

dataset
Syntax: <dataset>
Description: This argument must be set to the name of a dataset that you have access to. This can be a dataset that you created or a dataset that you are authorized to use.

For pipelines

destination
Syntax: <$destination>
Description: This argument must be set to the $destination parameter. The $destination parameter refers to the destination dataset specified in the pipeline settings. See the Pipeline examples in the into command examples topic.

Optional arguments

mode
Syntax: mode=( append | replace )
Description: Specifies whether to append results to or replace results in the specified dataset. The mode only applies to lookups in searches.
Default: append


Usage

The into command is a new command in SPL2. The into command is a terminating command, which is a command that does not return any search results and must be the last command in your search or pipeline. If you want search results to be returned, use the thru command instead. See thru command overview.

You can use the into command to pipe data into different kinds of datasets. For example, when you use this command in a search, you can pipe data into a lookup table dataset or an index dataset. As another example, when you use this command in an Edge Processor or Ingest Processor pipeline, you can pipe data into a destination dataset.

See also

into command
into command: Examples
Related commands
branch command: Overview, syntax, and usage
thru command: Overview, syntax, and usage
Pipelines
Edge Processor pipeline syntax in the Use Edge Processors manual
Ingest Processor pipeline syntax in the Use Ingest Processors manual
Related information
Dataset kinds in the SPL2 Search Manual
Last modified on 10 April, 2025
head command: Examples   into command: Examples

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters