Related Answers
Download topic as PDF
into command overview
Appends to or replaces the contents of a dataset in the search data pipeline. The dataset must be a writeable dataset, also referred to as a dataset sink.
Syntax
The required syntax is in bold.
- into
- [ mode=append | replace ]
- <dataset>
How the into command works
The into command does not return any results, so it must the last command in your search.
Let's start with this search:
FROM main WHERE earliest=-5m@m AND latest=@m GROUP BY host SELECT sum(bytes) AS sum, host HAVING sum > 1024*1024 | into bytesUsage
The following table describes what each command and clause is doing in the search:
| Command or clause | Description |
|---|---|
| FROM command | Searches the main dataset.
|
| WHERE clause | Specifies to search only the last 5 minutes, starting at the beginning of the minute and stop at the beginning of the current minute. |
| GROUP BY clause | Organizes the results by the host field.
|
| SELECT clause | Uses a calculation to sum the data in the bytes field and place the results in a field called sum. In addition, returns the host field.
|
| HAVING clause | Filters the aggregated results to return only the sum of the bytes that are greater than 1 MB. |
| into command | Appends the results to the bytesUsage dataset.
|
By default, the into command appends search results to a lookup or splv1sink dataset that you have write access to. The mode argument is only valid when the dataset is a lookup kind of dataset. See Dataset kinds in the SPL2 Search Manual.
See also
- Related commands
- branch command overview
- thru command overview
- Related information
- Dataset kinds in the SPL2 Search Manual
|
PREVIOUS head command examples |
NEXT into command syntax details |
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!