Splunk Cloud Platform

Federated Search

sdselect command overview

Use the sdselect command to run federated searches against Amazon S3 datasets that are referenced by AWS Glue Data Catalog tables.

Syntax

The required syntax is in bold.

| sdselect
[reuse_search_results=<bool>]
( <field-list> | <stats-func> | <eval-func>)...
<from-clause>
[WHERE <eval-expression>]
[GROUPBY ((<field-list> | <eval-func>)... [span=[<unsigned_int>]<timescale>])]
[ORDERBY (<field-list> | <eval-func>)...]
[LIMIT <unsigned_int>]


See also

sdselect command
sdselect command syntax details
sdselect command usage
sdselect command WHERE clause operations
Use time fields in sdselect searches
sdselect command examples for Amazon S3
Last modified on 11 September, 2024
Federated Analytics and Splunk Enterprise Security   sdselect command syntax details

This documentation applies to the following versions of Splunk Cloud Platform: 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters