Splunk® Cloud Services

SPL2 Search Reference

SPL2 Command Quick Reference

The following commands are supported in SPL2. Use the links in the table to see the command syntax, examples, and usage information.

Command Description Example
bin Puts continuous numerical values into discrete sets, or bins. Example: Return the average for a field for a specific time span. Bin the search results using a 5 minute time span on the _time field. Return the average thruput of each host for each 5 minute time span.

...| bin span=5m _time | stats avg(thruput) by _time, host

branch Processes one set of events or search results, in parallel, in two or more branches. Each branch must end with the into command. Example: Read the events in the main index dataset into memory one time. Process the events in two branches using subsearches to determine the most popular hosts and sources.

| from main | branch [stats count() BY host | where count > 50 select host | into p_hosts], [stats count() BY source | where count > 100 select source | into p_sources]

dedup Removes the events that contain an identical combination of values for the fields that you specify. Example: Remove duplicates of results with the same host value.

... | dedup host

eval Calculates an expression and puts the resulting value into a search results field. Example: Create a new field that contains the result of a calculation. Create a new field called velocity in each event. Calculate the velocity by dividing the values in the distance field by the values in the time field.

... | eval velocity=distance/time


Example: Use the if function to analyze field values. Create a new field called error in each event. Using the if function, set the value in the error field to OK if the status value is 200. Otherwise set the error field value to Problem.

... | eval error = if(status == 200, "OK", "Problem")

eventstats Generates summary statistics from fields in your events and saves those statistics into a new field. Example: Calculate an average for each distinct value of the date_minute field. The new field avgdur is added to each event with the average value based on its particular value of date_minute.

... | eventstats avg(duration) AS avgdur BY date_minute

expand Produce a separate result row for each object in an array that is in a field. Example: Expand the array in the bridges field. Here is the event before the field is expanded:
_time bridges
5 May 2021 2:29:02 PM [{"name":"Tower Bridge","length":801},{"name":"Millennium Bridge","length":1066}]

... | expand bridges

Here are the results after the expand command is run:

_time bridges
5 May 2021 2:29:02 PM {"name":"Tower Bridge","length":801}
5 May 2021 2:29:02 PM {"name":"Millennium Bridge","length":1066}
fields Keeps or removes fields from search results based on the list of fields that you specify. Example: Specify a list of fields to include in the search results. Return only the host and src fields from the search results.

... | fields host, src

fieldsummary Calculates summary statistics for one or more fields in your events, displayed as a results table. Example: Return the summary statistics for all incoming fields.

...| fieldsummary


Example: Return the summary statistics for a specific field.

...| fieldsummary fields=[action]

flatten Converts the key-value pairs in the object into separate fields in an event. Flattens only the first level of an object. Example: Flattens the values in the bridges object into separate fields.

| FROM [{}] SELECT _time, {name: "Tower Bridge", length: 801} as bridges | flatten bridges

The results look like this:

_time bridges length name
21 Sep 2022 2:34:17 PM [{"name":"Tower Bridge", "length":801}] 801 Tower Bridge
from Retrieves data from a dataset, such as an index, metric index, lookup, view, or job.

The from command has a flexible syntax, which enables you to start a search with either the FROM clause or the SELECT clause.

Example: Return data from the main index for the last 5 minutes. Group the results by host. Calculate the sum of the bytes field. Return the sum and the host fields where the sum of the bytes is greater than I MB.

| FROM main WHERE earliest=-5m@m AND latest=@m GROUP BY host SELECT sum(bytes) AS sum, host HAVING sum > 1024*1024

head Returns the first N number of specified results in search order. Example: Stop searching when a null value is encountered. This example returns results while action=purchase or the action field does not exist in the results (null=true). A maximum of 50 results are returned.

...| head while (action="purchase") null=true 50

into Sends results to a dataset that is writable, a dataset sink. Appends or replaces the dataset sink in the search data pipeline. Example: Append the search results to the mytable dataset, which is a lookup kind of dataset.

... | into mode=append mytable

join Combines the results from two datasets by using one or more common fields. Example: Join datasets on fields that have the same name. Combine the results from a search with the vendors dataset. The data is joined on the product_id field, which is common to both datasets.

... | join left=L right=R where L.product_id=R.product_id vendors

lookup Invokes field value lookups. Example: Put corresponding information from a lookup dataset into your events.

Append the data returned from your search results with the data in the users lookup dataset using the uid field. For search results that contains a uid field, the value in that field is matched with the uid field in the users lookup dataset. The username and department fields from the users lookup dataset are appended to each search result. If the search results already have the username and department fields, the OUTPUTNEW argument only fills in missing values in those fields.

... | lookup users uid OUTPUTNEW username, department

mvexpand Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. Example: Expand the values in the myfield field.

... | mvexpand myfield

rename Renames one or more fields. Example: Rename a field with special characters. Rename the ip-add field to IPAddress. Field names that contain anything other than a-z, A-Z, 0-9, or "_", need single-quotation marks.

... | rename 'ip-add' AS IPAddress

reverse Reverses the order of the search results. Example:

... | reverse

rex Use to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions. Example: Extract values from a field using a <regex-expression>. Extract user, app, and SavedSearchName from a field called savedsearch_id in scheduler.log events.

... | rex field=savedsearch_id "(?<user>\\w+);(?<app>\\w+);(?<SavedSearchName>\\w+)"

If the contents of the field is savedsearch_id=bob;search;my_saved_search then this rex command syntax extracts user=bob, app=search, and SavedSearchName=my_saved_search.

search Retrieve events from indexes or filter the results of a previous search command in the pipeline. Example: Search for a field-value pair for a specific source IP, src.

search src="192.0.2.0"


Example: Search for multiple field-value pairs with boolean and comparison operators. This example searches for events with code values of either 10, 29, or 43 and any host that is not "localhost", and an xqp value that is greater than 5.

search (code=10 OR code=29 OR code=43) host!="localhost" xqp>5

select See the from command. The SELECT clause is part of the from command. Example: Calculate the sum of the bytes field. Return the sum and the host fields from the main index for the last 5 minutes. Group the results by host.

| SELECT sum(bytes) AS sum, host FROM main WHERE earliest=-5m@m GROUP BY host

sort Sorts all of the results by the specified fields. Example: Sort the results first by the surname field in ascending order and then by the firstname field in descending order.

... | sort surname, -firstname

spl1 Embed all or part of an SPL search into an SPL2 search. The spl1 command supports two syntaxes: backtick ( ` ) character syntax and explicit spl1 command syntax. Example: Consider this SPL search:

error OR http_code=404

Embed this search into an SPL2 search using the backtick ( ` ) character syntax:

`search index=main error OR http_code=404`


Example: In this SPL2 search only the portion of the search not supported by SPL2, the addinfo command, uses the backtick ( ` ) character syntax:

from sample_data_index | stats sum(bytes) BY host | `addinfo`

stats Calculates aggregate statistics such as average, count, and sum, over the results set. Example: Take the incoming result set and calculate the sum of the bytes field and groups the sums by the values in the host field.

... | stats sum(bytes) BY host

streamstats Adds a cumulative statistical value to each search result as each result is processed. Example: Use a <by-clause> to add a running count to search results. This search uses the host field to reset the count. For each search result, a new field is appended with a count of the results based on the host value. The count is cumulative and includes the current result.

... | streamstats count() BY host

thru Writes data to a writeable dataset and then passes the same data to the next command in the search string. By default, the thru command appends data to the dataset. Example: Append all the incoming search result set to the actions dataset. Those same search results are also passed into the eval command.

... | thru actions | eval field=<expr>

timechart Creates a time series chart with corresponding table of statistics. Example: For each minute, calculate the average value of the CPU field for each host.

... | timechart span=1m avg(CPU) BY host

timewrap Compare data over a specific time period, such as day-over-day or month-over-month, or multiple time periods, such as a two week period over another two week period. Example: Display a timechart that has a span of 1 day for each count in a week over week comparison table. Each table column, which is the series, is 1 week of time.

... | timechart count span=1d | timewrap 1week

union Merges the results from two or more datasets into one dataset. One dataset can be piped into the union command and merged with a second dataset. Example: Merge events from the customers, orders, and vendors datasets. You must separate the dataset names with a comma.

| union customers, orders, vendors


Example: Append the current results of the main search with the tabular results of errors from the subsearch.

... | stats count() BY category1 | union [search error | stats count() BY category2]

where Filters search results based on the outcome of a Boolean expression. Example: Use the like comparison operator with the percent symbol ( % ) as a wildcard. This example returns all results where the ipaddress field contains values that start with "192.".

... | where ipaddress like "192.%"


Example: Compare one field to another field.

... | where ipaddress=clientip


Example: Filter using a field-value pair.

... | where host="www1"

See also

Other Quick References
Quick Reference for SPL2 eval functions
Quick Reference for SPL2 Stats and Charting Functions
Related information
Understanding SPL2 Syntax
Last modified on 17 May, 2023
Custom data types   bin command overview

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters