Compatibility Quick Reference for SPL2 commands
An SPL2 profile maps to a set of SPL2 commands and functions that are used by a given product. See SPL2 compatibility profiles.
The following table shows which SPL2 commands are supported for each product profile:
| SPL2 command | Description | splunkd1profile | edgeProcessorprofile | ingestProcessorprofile |
|---|---|---|---|---|
| addinfo | Adds fields to each event. These fields contain global, common information about the search. | Yes | ||
| appendcols | Appends all of the fields of the subsearch results with the incoming main search results. The subsearch is run first. | Yes | ||
| append | Appends the results of a subsearch to the current results. This command runs only over historical data and does not produce correct results if used in a real-time search. | Yes | ||
| appendpipe | Appends the result of the subpipe to the search results. Unlike a subsearch, the subpipe is not run first. The subpipe is run when the search reaches the appendpipe command. | Yes | ||
| bin | Puts continuous numerical values into discrete sets, or bins. | Yes | ||
| branch | Processes one set of events or search results, in parallel, in two or more branches. Each branch must end with the into command. | Yes | Yes | Yes |
| convert | Converts field values in your search results into numerical values. | Yes | ||
| decrypt | Used in Edge Processor or Ingest Processor pipelines to decrypt encrypted data fields before the data reaches its destination. | Yes | Yes | |
| dedup | Removes the events that contain an identical combination of values for the fields that you specify. | Yes | ||
| eval | Calculates an expression and puts the resulting value into a search results field. | Yes | Yes | Yes |
| eventstats | Generates summary statistics from fields in your events and saves those statistics into a new field. | Yes | ||
| expand | Produce a separate result row for each object in an array that is in a field. | Yes | Yes | Yes |
| fields | Keeps or removes fields from search results based on the list of fields that you specify. | Yes | Yes | Yes |
| fieldsummary | Calculates summary statistics for one or more fields in your events, displayed as a results table. | Yes | ||
| fillnull | Replaces null values with a specified string value. Null values are field values that are missing in some results but present in other results. | Yes | ||
| flatten | Converts the key-value pairs in the object into separate fields in an event. Flattens only the first level of an object. | Yes | Yes | Yes |
| from | Retrieves data from a dataset, such as an index, metric index, lookup, view, or job. The from command has a flexible syntax, which enables you to start a search with either the | Yes | Yes | Yes |
| head | Returns the first search results, in search order, based on the <limit> specified. For historical searches, returns the most recent events. For real-time searches, searches the first captured events. | Yes | ||
| into | Appends to or replaces the contents of a dataset in the search data pipeline. The dataset must be a writeable dataset, also referred to as a dataset sink. | Yes | Yes | Yes |
| iplocation | Extracts location information from IP addresses by using 3rd-party databases. Supports IPv4 and IPv6 addresses and subnets that use CIDR notation. | Yes | ||
| join | Combines the results from two datasets by using one or more common fields. | Yes | ||
| loadjob | Loads the results of a previously completed search job, based on the search job ID (sid). The command must be specified at the beginning of a search. | Yes | ||
| lookup | Invokes field value lookups. | Yes | Yes | Yes |
| makemv | Converts a single value field into a multivalue field by splitting the values either on a string delimiter or by using a regular expression. You can't use this command on internal fields. | Yes | ||
| makeresults | Generates the specified number of search results in temporary memory. The results include the _time field. If you don't specify count, one result is generated. | Yes | ||
| mstats | Analyzes metric data by performing statistics on the measurement, metric_name, and dimension fields in metric indexes. | Yes | ||
| mvcombine | Takes a group of events that are identical except for the specified field, which contains a single value, and combines those events into a single event. | Yes | ||
| mvexpand | Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. | Yes | Yes | Yes |
| nomv | Converts the values in a multivalue field into one single value. The values are separated using a new line ( "\n ) delimiter. | Yes | ||
| ocsf | Converts the data in the _raw field of incoming events to the Open Cybersecurity Schema Framework (OCSF) format. | Yes | Yes | |
| rename | Renames one or more fields. | Yes | Yes | Yes |
| replace | Replaces field values in your search results with the values that you specify. This command does not replace values in fields generated by stats or eval functions. If you do not specify a field, the value is replaced in all non-generated fields. | Yes | ||
| reverse | Reverses the order of the search results. | Yes | ||
| rex | Use to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions. | Yes using PCRE | Yes using PCRE | Yes using PCRE |
| route | Routes a desired subset of incoming data so that it gets sent to a different destination. | Yes | Yes | |
| search | Retrieve events from indexes or filter the results of a previous search command in the pipeline. | Yes | ||
| select | See the from command. The SELECT clause is part of the from command. You can start a search with the SELECT clause. | Yes | ||
| sort | Sorts all of the results by the specified fields. | Yes | ||
| spath | Extracts information from the XML and JSON structured data formats. | Yes | ||
| spl1 | Embed all or part of an SPL search into an SPL2 search. The spl1 command supports 2 syntaxes: backtick ( ` ) character syntax and explicit spl1 command syntax. | Yes | ||
| stats | Calculates aggregate statistics such as average, count, and sum, over the results set. | Yes | ||
| streamstats | Adds a cumulative statistical value to each search result as each result is processed. | Yes | ||
| table | Returns a table that is formed from the fields that you specify. Columns are displayed in the same order that the fields are specified in. | Yes | ||
| tags | Adds fields to your search results with information about the tags found for those results. To use this command, the tags must already exist. | Yes | ||
| thru | Writes data to a writeable dataset and then passes the same data to the next command in the search string. By default, the thru command appends data to the dataset. | Yes | ||
| timechart | Creates a time series chart with corresponding table of statistics. | Yes | ||
| timewrap | Compare data over a specific time period, such as day-over-day or month-over-month, or multiple time periods, such as a 2 week period over another 2 week period. | Yes | Yes | Yes |
| tstats | Searches on indexed fields in tsidx files using statistical functions. The indexed fields can be from indexed data or accelerated data models. | Yes | ||
| typer | Creates an eventtype field for search results that match known event types. The event types must already exist to use this command. | Yes | ||
| union | Merges the results from 2 or more datasets into 1 dataset. The first dataset can be piped into the union command and merged with a second dataset. | Yes | ||
| untable | Converts tabular information into individual rows of results. The untable command is useful for preparing your data for a chart. | Yes | ||
| where | Filters search results based on the outcome of a Boolean expression. | Yes | Yes | Yes |
1 The splunkd profile is currently used by the Splunk Enterprise SPL2-based app development and the Search tab of the Edge Processor solution.
See also
Additional compatibility information
Edge Processor information
Ingest Processor information
SPL2 information