Start searching data using SPL2

Start your search with a generating command such as "search" or "from", followed by the name of a dataset such as an index.

Every search starts with a generating command and a dataset.

Generating command: An SPL2 command that returns information from a dataset. For example, the search command is a generating command, and you can use it to return all the events stored in an index named main.
Dataset: A collection of data. An index is a kind of dataset.

To put together a preliminary search that returns events from an index, do the following:

Decide how you want to search your data. This decision determines which generating command you should use at the start of your search. See Choose a generating command.
Add the name of the index that you want to search using the generating command. See Specify an index.
Depending on which UI you are using to write and run your search, you might need to write your search a little differently:
- If you are using the Search bar in the Search & Reporting app, the search command is sometimes assumed and can be omitted. See Search command is assumed in some cases.
- If you are working in the SPL2 module editor, then you must explicitly include the search command in order to use it, and you must assign a name to your search. An SPL2 module can contain multiple searches, so each search in the same module must be identified by a unique name. See Name your search in the SPL2 module editor.

Choose a generating command

The 2 most commonly used generating commands are search and from. Each command supports different syntax and accesses data differently.

To choose a generating command, consider whether you prefer to work with SPL syntax or SQL syntax. Consult the following table to identify the generating command that best suits your needs:


Syntax preference	Use this generating command	Command features
SPL	search command	Search your data using keywords and field-value pairs.
SQL	from command	Search your data using field-value pairs. The from command is like the SQL SELECT command: It supports optional clauses that you can use to manipulate your data, such as the WHERE, GROUP BY, SELECT, and ORDER BY clauses. It supports a flexible syntax, so you can choose whether to start your search using the FROM clause or the SELECT clause.

Next, pair your generating command with the index that you want to search.

Specify an index

SPL2 can work with data from different kinds of datasets. The most commonly searched kind of dataset is an index, which stores the data that is ingested into the Splunk platform.

To complete your initial search, add the name of an index to the generating command.

When using the search command, you need to specify the index using this format: index=<index_name>.
When using the from command, you can enter the index name as is.

The following table shows examples of searches that return all the data from an index named main:


Example scenario	Search statement
Using the search command	`search index=main`
Using the from command, starting with the SELECT clause.	`SELECT * FROM main`
Using the from command, starting with the FROM clause.	`FROM main`

Note: The names of the from command clauses are shown in uppercase for readability and alignment with SQL syntax. You can specify the clause names in uppercase or lowercase. For example, you can specify FROM or from, SELECT or select, and GROUP BY or group by. However, you cannot specify clauses in mixed case, such as Group By.

If you are writing your search in the Search bar of the Search & Reporting app, then see Search command is assumed in some cases for more information about the supported search syntax.

If you are writing your search in the SPL2 module editor, then see Name your search in the SPL2 module editor for information about completing your search.

Search command is assumed in some cases

If the first expression in your search is an index expression written in the format index=<index_name>, then the Search bar assumes that the search command is being used. As a result, you do not need to specify the search command at the start of your search, and the UI automatically removes the search command from your search if you include it.

For example, if you enter search index=main in the Search bar, the UI automatically changes the search into index=main after you finish typing. This search is valid and successfully returns all of the data stored in the index named main.

However, if the first expression in your search is not an index expression, then you must include the search command at the start of your search. For example, search 404 index=main is a valid search, but 404 index=main is not.

This image shows the Search bar after it successfully runs this valid search: search 404 index-main

Name your search in the SPL2 module editor

An SPL2 module can support multiple searches, so each search in the same module must be identified by a unique name.

This image shows an SPL2 module that contains 2 searches named $all_products and $products_no_stock.

Search names must meet these requirements:

Start with a dollar sign ( $ ).
Use a letter as the first character after the dollar sign ( $ ).
Contain only letters, numbers, or the underscore ( _ ) character.

If the search name does not meet these requirements, then the search returns a syntax error.

Add the name to the start of your search, followed by an equal ( = ) sign. The following table shows some examples of named searches:


Example scenario	Search statement
A search named `$products` that uses the search command to search an index named products.	`$products = search index=products`
A search named `$incident_124` that uses the from command, starting with the SELECT clause to search an index named error_logs.	`$incident_124 = SELECT * FROM error_logs`
A search named `$main_data` that uses the from command, starting with the FROM clause, to search an index named main.	`$main_data = FROM main`

Next steps

You now have a valid search that returns all the data from the specified index.

However, most of the time you only want to see a subset of data that’s relevant to your particular query or investigation. You can narrow down the search results and focus on the data that matters by refining your search with filters and other conditions.

For example, you can configure your search to only return events about errors. See the following examples of possible searches:


Example scenario	Search statement
Use the search command to return any event in the main index that contains the term "error" in any field.	`search index=main error`
Use the from command, starting with the SELECT clause, to return all events from the main index where the `result` field contains the value "error".	`SELECT * FROM main WHERE result="error"`
Use the from command, starting with the FROM clause, to return all events from the main index where the `http_status` field contains the value "404".	`FROM main WHERE http_status=404`

You can also configure your search to only return events that occurred within a specific time range, such as within the last 24 hours.

To continue building out your search, see Refine your search with filters.