Splunk® Cloud Services

SPL2 Search Manual

Exporting module items using SPL2

You can share searches, custom functions, and custom data types with other users by exporting those items from an SPL2 module. To export an item you use an export statement.

When you export an item that was created in an SPL2 module, such as a search or function, you are taking a private item and making the item public. To use the exported item in another module, you must import the item into that module.

In addition to exporting items that are created inside an SPL2 module, you can also export items that have been imported into an module, such as a dataset.

Exporting search statements

When you export a search statement, the search is exported as a view.

A view is a reusable, named piece of SPL2. A view is a type of dataset that is like a saved search. When you export a search, you are not saving the search results as a dataset. You are saving the search that generates the dataset as a view. To learn more about views, see SPL2 Views.

Export statement syntax

The export statement syntax depends on whether you are exporting one or multiple items, and how you want to format the export statement

The export statement syntax is:

export <item_name> | { <item_name>, <item_name>, ...}

When specifying multiple items, you must enclose them in curly brackets { } and separate each item with a comma ( , ).

Export a search

In the module where the search resides, export the search by issuing an export statement.

Consider the following search:

$purchases = from main where status=200 AND action="purchase" 

The following export statement shows how to export this search as a view:

export $purchases

This export statement is shorthand for specifying an alias:

export $purchases AS purchase

The dollar sign ( $ ) in front of the search name is not included in the view name.

In the following image, the purchases namespace contains two modules, Quarterly Purchases and annual_purchases. The Quarterly Purchases module contains a search statement called $purchases, and a function statement called isError. The $purchase search statement has been exported as a view called purchases. The isError function statement has also been exported.

This image shows a namespace that includes two modules. A search statement has been exported as a view called "purchases", as described by the text before the image.

Export multiple searches

To export multiple searches, enclose the list of searches in curly brackets { }.

For example:

export {$qtr1, $qtr2, $qtr3, $qtr4}

Alternatively, you can issue multiple export statements, for example:

export $qtr1
export $qtr2
export $qtr3
export $qtr4

Export and rename a search

To rename a search when you export it, use an AS clause.

When you export a search, you do not include the dollar symbol ( $ ) in the alias name.

For example:

export $transactions AS QTR1_transactions

The search is exported as a view dataset. You can specify the AS keyword in uppercase or lowercase in your statement. For readability, uppercase is used in this example.

Exporting functions

You can share custom functions with other users by exporting those functions.

Export a function

In the module where the function resides, you export the function by issuing an export statement.

For example, suppose you have the following function:

function isError($code : number) : boolean {
  return $code >= 400 
}

To export the isError function, you use this export statement:

export isError

Export and rename a function

To rename a custom function when you export it, use the AS clause.

The following example shows how to export the isError function using the name HTTP_Errors:

export isError AS HTTP_Errors

You can specify the AS keyword in uppercase or lowercase in your statement. For readability, uppercase is used in this example.

Exporting data types

You can export custom data types to share those data types with other users and groups.

Export a data type

In the module where the data type resides, export the data type by issuing an export statement.

For example, suppose you have the following data type:

type person = {
   firstname:string, 
   surname:string
}

To export the person data type, the export statement is:

export person


Export and rename a data type

To rename a custom data type when you export it, use the AS clause.

The following example shows how to export the person data type using the name fullname:

export person AS fullname

You can specify the AS keyword in uppercase or lowercase in your statement. For readability, uppercase is used in this example.

Export statement shortcuts

You can combine a function statement inline with an export statement.

When you combine these statements, the function statements are valid in the current module. The items that are exported become public items, which can be imported and used in other modules.

Shortcut for combining functions and export statements

Consider the following function that looks for HTTP error codes that are greater than or equal to 400:

function isError($code : number) : boolean {
  return $code >= 400 
}

To export this function, you can use the following the statement:

export isError

The following shortcut combines these statements:

export function isError($code : number) : boolean {
  return $code >= 400 
}

You can use the isError function in the current module, as well as export the function to share the function with other users and groups.

See also

Related information
Importing items using SPL2
Related reference
Custom eval functions
Custom command functions
Custom data types
Last modified on 20 March, 2024
Extend and branch SPL2 search statements   Importing module items and datasets using SPL2

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters