About the search language
Search language components
The Splunk search processing language (SPL) encompasses all the search commands and their functions, arguments and clauses. Search commands tell Splunk what to do to the events you retrieved from the indexes. For example, you need to use a command to filter unwanted information, extract more information, evaluate new fields, calculate statistics, reorder your results, or create a chart.
Some search commands have functions and arguments associated with them. Use these functions and their arguments to specify how the commands act on your results and/or which fields they act upon. For example, use functions to format the data in a chart, describe what kind of statistics to calculate, and specify what fields to evaluate. Some commands also use clauses to specify how to group your search results.
Types of search commands
There are four broad categorizations for all the search commands: distributable streaming, stateful streaming, transforming, generating.
A streaming command operates on each event returned by a search. A distributable streaming command runs on the indexer and can be applied to subsets of indexed data in a parallel manner. For example, the regex command is streaming; it extracts fields and adds them to events at search time.
Distributable streaming commands include: bucket (if it's called with an explicit
span), convert, eval, extract (kv), fields, lookup (if not local=t), mvexpand, multikv, rename, regex, replace, rex, search, strcat, tags, typer, and where.
A centralized streaming command applies a transformation to each event returned by a search, but unlike distributable streaming commands, it only works on the search head. You might also hear the term "stateful streaming" to describe these commands.
A transforming command orders the results into a data table, that is it "transform" the specified cell values for each event into numerical values that Splunk can use for statistical purposes. Transforming commands are not streaming. Also, they are required to transform search result data into the data structures required for visualizations such as column, bar, line, area, and pie charts.
A generating command is one that fetches information without any transformations. Generating commands are either event-generating (distributable or centralized) or report-generating and, depending on which they are, will return an events list or a table of results. Generating commands are usually invoked at the beginning of the search and with a leading pipe. That is, there cannot be a search piped into a generating command. The exception to this is the search command, because it is implicit at the start of a search and does not need to be invoked.
There are a handful of commands that do not fit into these categories. These commands are non-reporting, not distributable, and not streaming: sort, eventstats, some modes of dedup, and some modes of cluster.
The search processing language syntax
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18