Search literals enable you to perform SQL-like searches using a predicate expression that is similar to using predicate expressions with the search command.

The following table shows how the same predicate expression is used with the search command and the fromcommand:

search index=main 500

FROM main WHERE searchmatch("500")

FROM main WHERE `500`

One common use for search literals is in the WHERE clause of the from command. You can also use search literals with the where command.

The following search looks in the main index for events that contains the terms 500 and ERROR.

|FROM main 
 WHERE `500 ERROR`

You can use search literals in any function that accepts a predicate or conditional expression.

The following search counts the occurrences of the value 500 in your events. The results are organized by the host field:

... | stats count(`500`) by host

This is the same as this search:

... | search 500 | stats count() by host

... | eval error_type = if(`error=4*`, "user", "server")

If the value in the error field begins with 4, the string user is placed in the error_type field. Otherwise the string server is placed in the error_type field.

If the SPL command is not supported in the SPL compatibility library, use a search literal to include the SPL command in your SPL2 searches.

For example, the top command returns the top X values for a specific field. The top command also returns two additional fields with information about the count and percent of the values within the dataset.

The SPL top command is not supported in SPL2 or in the SPL compatibility library. However, you can still use the SPL top command in your SPL2 search using a search literal.

$search = from sample_events where host="www3" | `top limit=20 referer`