Quick Reference for SPL2 commands

The following commands are supported in SPL2. Use the links in the table to see more details about a command and to access additional examples.

Command Description Example

addinfo

Adds fields to each event. These fields contain global, common information about the search.

Example: Adds information about the search to each event in the search results.

from <dataset> ...| addinfo

appendcols

Appends all of the fields of the subsearch results with the incoming main search results. The subsearch is run first.

Example: Search for "404" events and append the fields in each event to the list of host values returned from the incoming search results.

from main 
| fields host 
| appendcols [search 404]

append

Appends the results of a subsearch to the current results. This command runs only over historical data and does not produce correct results if used in a real-time search.

Example: Looks for events that are purchase actions and appends the results of the top IP addresses by category ID to the current results.

The top command is not supported in SPL2. The subsearch in the append command uses embedded SPL to include top command in the search.

from <dataset> 
| where action="purchase"
| sort clientip 
| stats dc(clientip) BY categoryId
| append [search action="purchase" | `top 1 clientip BY categoryId`]

Embedded SPL is a shortcut associated with the spl1 command.

appendpipe

Appends the result of the subpipe to the search results. Unlike a subsearch, the subpipe is not run first. The subpipe is run when the search reaches the appendpipe command.

Example: The following example append subtotals for each action across all users.

from main
| stats count() AS user_count BY action, clientip
| appendpipe [stats sum(user_count) AS 'User Count' BY action | eval user = "TOTAL - USER COUNT"] 
| sort action

bin

Example: Return the average for a field for a specific time span. Bin the search results using a 5 minute time span on the _time field. Return the average thruput of each host for each 5 minute time span.

...| bin span=5m _time | stats avg(thruput) by _time, host

branch

Processes one set of events or search results, in parallel, in two or more branches. Each branch must end with the into command.

Example: Read the events in the main index dataset into memory one time. Process the events in two branches using subsearches to determine the most popular hosts and sources.

| from main 
| branch  
    [stats count() BY host 
       | where count > 50 select host 
       | into p_hosts], 
    [stats count() BY source 
       | where count > 100 select source 
       | into p_sources]

convert

Converts field values in your search results into numerical values.

Example: The following example changes the duration values to seconds for the specified fields.

... | convert dur2sec(xdelay), dur2sec(delay)

decrypt

Used in Edge Processor or Ingest Processor pipelines to decrypt encrypted data fields before the data reaches its destination.

For the Edge Processor solution, see Use the decrypt command to decrypt data in the Edge Processor solution in the Use Edge Processors manual.

For the Ingest Processor solution, see Use the decrypt command to decrypt data in the Ingest Processor solution in the Use Ingest Processors manual.

dedup

Removes the events that contain an identical combination of values for the fields that you specify.

Example: Remove duplicates of results with the same host value.

... | dedup host

eval

Calculates an expression and puts the resulting value into a search results field.

Example: Create a new field that contains the result of a calculation. Create a new field called velocity in each event. Calculate the velocity by dividing the values in the distance field by the values in the time field.

... | eval velocity=distance/time

Example: Use the if function to analyze field values. Create a new field called error in each event. Using the if function, set the value in the error field to OK if the status value is 200. Otherwise set the error field value to Problem.

... | eval error = if(status == 200, "OK", "Problem")

eventstats

Generates summary statistics from fields in your events and saves those statistics into a new field.

Example: Calculate an average for each distinct value of the date_minute field. The new field avgdur is added to each event with the average value based on its particular value of date_minute.

... | eventstats avg(duration) AS avgdur BY date_minute

expand

Produces a separate result row for each object in an array that is in a field.

Example: Expand the array in the bridges field. Here is the event before the field is expanded:

_time	bridges
5 May 2021 2:29:02 PM	[{"name":"Tower Bridge","length":801},{"name":"Millennium Bridge","length":1066}]

... | expand bridges

Here are the results after the expand command is run:

_time	bridges
5 May 2021 2:29:02 PM	{"name":"Tower Bridge","length":801}
5 May 2021 2:29:02 PM	{"name":"Millennium Bridge","length":1066}

fields

Keeps or removes fields from search results based on the list of fields that you specify.

Example: Specify a list of fields to include in the search results. Return only the host and src fields from the search results.

... | fields host, src

fieldsummary

Calculates summary statistics for one or more fields in your events, displayed as a results table.

Example: Return the summary statistics for all incoming fields.

...| fieldsummary

Example: Return the summary statistics for a specific field.

...| fieldsummary fields=[action]

fillnull

Replaces null values with a specified string value. Null values are field values that are missing in some results but present in other results.

Example: The following example fills all empty field values in the host and kbps fields with the string unknown:

... | fillnull value="unknown" host, kbps

flatten

Converts the key-value pairs in the object into separate fields in an event. Flattens only the first level of an object.

Example: Flattens the values in the bridges object into separate fields.

FROM [{}] SELECT _time, {name: "Tower Bridge", length: 801} as bridges | flatten bridges

_time	bridges	length	name
21 Sep 2022 2:34:17 PM	[{"name":"Tower Bridge", "length":801}]	801	Tower Bridge

from

Retrieves data from a dataset, such as an index, metric index, lookup, view, or job.

The from command has a flexible syntax, which enables you to start a search with either the FROM clause or the SELECT clause.

Example: Return data from the main index for the last 5 minutes. Group the results by host. Calculate the sum of the bytes field. Return the sum and the host fields where the sum of the bytes is greater than I MB.

| FROM main 
  WHERE earliest=-5m@m AND latest=@m 
  GROUP BY host 
  SELECT sum(bytes) AS sum, host 
  HAVING sum > 1024*1024

head

Returns the first N number of specified results in search order.

Example: Stop searching when a null value is encountered. This example returns results while action=purchase or the action field does not exist in the results (null=true). A maximum of 50 results are returned.

...| head while (action="purchase") null=true 50

into

Sends results to a dataset that is writable, a dataset sink. Appends or replaces the dataset sink in the search data pipeline.

Example: Append the search results to the mytable dataset, which is a lookup kind of dataset.

... | into mode=append mytable

iplocation

Extracts location information from IP addresses by using 3rd-party databases. Supports IPv4 and IPv6 addresses and subnets that use CIDR notation.

Example: The following example adds information about the IP address to each event:

...| iplocation clientip

join

Combines the results from two datasets by using one or more common fields.

Example: Join datasets on fields that have the same name. Combine the results from a search with the vendors dataset. The data is joined on the product_id field, which is common to both datasets.

... | join left=L right=R where L.product_id=R.product_id vendors

loadlob

Loads the results of a previously completed search job, based on the search job ID (sid). The command must be specified at the beginning of a search.

Example: The following example specifies the search ID for the search results that you want to load into a new search.

| loadjob 1233886270.2

lookup

Invokes field value lookups.

Example: Put corresponding information from a lookup dataset into your events.

Append the data returned from your search results with the data in the users lookup dataset using the uid field. For search results that contains a uid field, the value in that field is matched with the uid field in the users lookup dataset. The username and department fields from the users lookup dataset are appended to each search result. If the search results already have the username and department fields, the OUTPUTNEW argument only fills in missing values in those fields.

... | lookup users uid OUTPUTNEW username, department

makemv

Converts a single value field into a multivalue field by splitting the values either on a string delimiter or by using a regular expression. You can't use this command on internal fields.

Example: The following example separates values in the senders field using a comma ( , ) as the delimiter:

... | makemv delim=","  senders

Example: The following example separates the values in the my_multival field using a regular expression.

... | makemv tokenizer="([^,]+),?" my_multival

makeresults

Generates the specified number of search results in temporary memory. The results include the _time field. If you don't specify count, one result is generated.

Example: The following example generates 5 events. Using the streamstats and eval commands to create different dates in the _time field:

| makeresults count=5 
| streamstats count
| eval _time=_time-(count*86400)

mstats

Analyzes metric data by performing statistics on the measurement, metric_name, and dimension fields in metric indexes.

Example: The following example shows how to calculate a single metric grouped by time. This example returns the average value of the aws.ec2.CPUUtilization metric in the mymetricdata metric index. Use the bin command to bucket the results into 30 second time spans.

| mstats aggregates=[avg('aws.ec2.CPUUtilization')] predicate=(index=mymetricdata) | bin span=30s

mvcombine

Takes a group of events that are identical except for the specified field, which contains a single value, and combines those events into a single event.

Example: The following example creates a multivalue field from the values in the host field by using the comma as a delimiter:

... | mvcombine delim="," host

mvexpand

Expands the values of a multivalue field into separate events, one event for each value in the multivalue field.

Example: Expand the values in the myfield field.

... | mvexpand myfield

nomv

converts the values in a multivalue field into one single value. The values are separated using a new line ( "\n ) delimiter.

Example: The following example combines the values in the senders field, which is a multivalue field, into a single value where each value is separated by a new line delimiter.

from main where eventtype="sendmail" | nomv senders

rename

Renames one or more fields.

Example: Rename a field with special characters. Rename the ip-add field to IPAddress. Field names that contain anything other than a-z, A-Z, 0-9, or "_", need single-quotation marks.

... | rename 'ip-add' AS IPAddress

replace

Replaces field values in your search results with the values that you specify. This command does not replace values in fields generated by stats or eval functions. If you do not specify a field, the value is replaced in all non-generated fields.

Example: The following example changes a value in two fields in the search results, the start_month and end_month fields.

... | replace str="aug" replacement="August" start_month, end_month

reverse

Reverses the order of the search results.

Example:

... | reverse

rex

Use to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions.

Example: Extract values from a field using a regex expression. Extract user, app, and SavedSearchName from a field called savedsearch_id in scheduler.log events.

... | rex field=savedsearch_id "(?<user>\\w+);(?<app>\\w+);(?<SavedSearchName>\\w+)"

If the contents of the field is savedsearch_id=bob;search;my_saved_search then this rex command syntax extracts user=bob, app=search, and SavedSearchName=my_saved_search.

Retrieve events from indexes or filter the results of a previous search command in the pipeline.

Example: Search for a field-value pair for a specific source IP, src.

search src="192.0.2.0"

Example: Search for multiple field-value pairs with boolean and comparison operators. This example searches for events with code values of either 10, 29, or 43 and any host that is not "localhost", and an xqp value that is greater than 5.

search (code=10 OR code=29 OR code=43) host!="localhost" xqp>5

select

See the from command. The SELECT clause is part of the from command.

Example: Calculate the sum of the bytes field. Return the sum and the host fields from the main index for the last 5 minutes. Group the results by host.

| SELECT sum(bytes) AS sum, host 
  FROM main 
  WHERE earliest=-5m@m 
  GROUP BY host

sort

Sorts all of the results by the specified fields.

Example: Sort the results first by the surname field in ascending order and then by the firstname field in descending order.

... | sort surname, -firstname

spath

Extracts information from the XML and JSON structured data formats.

Example: The following example shows how to specify an output field and path with a wildcard for JSON data:

... | spath output=commit_author path="commits{}.author.name"

spl1

Embed all or part of an SPL search into an SPL2 search. The spl1 command supports two syntaxes: backtick ( ` ) character syntax and explicit spl1 command syntax.

Example: Consider this SPL search:

error OR http_code=404

Embed this search into an SPL2 search using the backtick ( ` ) character syntax:

`search index=main error OR http_code=404`

Example: In this SPL2 search only the portion of the search not supported by SPL2, the addinfo command, uses the backtick ( ` ) character syntax:

from sample_data_index | stats sum(bytes) BY host | `addinfo`

stats

Calculates aggregate statistics such as average, count, and sum, over the results set.

Example: Take the incoming result set and calculate the sum of the bytes field and groups the sums by the values in the host field.

... | stats sum(bytes) BY host

streamstats

Adds a cumulative statistical value to each search result as each result is processed.

Example: Use a BY clause to add a running count to search results. This search uses the host field to reset the count. For each search result, a new field is appended with a count of the results based on the host value. The count is cumulative and includes the current result.

... | streamstats count() BY host

table

Returns a table that is formed from the fields that you specify. Columns are displayed in the same order that the fields are specified in.

Example: The following example returns a table with only the host and action fields.

...| table host, action