In the SPL, the search command is implied at the beginning of some searches, such as searches that start with a keyword or a field-value pair. In SPL2 the search command must be explicitly specified.

Unless your SPL search begins with a generating command like inputlookup, makeresults, mstats, or tstats, you must include the search command when you use the spl1 command.

Here's an example:

index=sample_data_index action=purchase 

$example1= | `search index=sample_data_index action=purchase`

$example2 = | spl1 "search index=main action=purchase"

For many SPL searches, you can convert most of the search to SPL2. For the portion of the SPL search that you can't convert you can use the spl1 command.

The following example shows how to convert an SPL search into SPL2 and how to use the spl1 command for the addinfo command, which is not supported in SPL2.

index=sample_data_index | stats sum(bytes) BY host | addinfo

$example1 = from sample_data_index | stats sum(bytes) BY host | `addinfo`  

$example2 = from sample_data_index | stats sum(bytes) BY host | spl1 "addinfo"

In the SPL2 search, there is no default index. You must specify the index either before or within the spl1 command portion of the search. Where you specify the index depends on the search you are using with the spl1 command:

• If the SPL search starts with non-generating command, such as search, you can specify the index either before or within the spl1 command portion of the search.
• If the search starts with generating command, such as tstats, you must add the index to the spl1 command portion of the search.

In the following example, the SPL search assumes that you want to search the default index, main. To use this search in SPL2, you can specify the index either before or within the spl1 command portion of the search.

status=200 action=purchase 
| stats count BY clientip 

$before_spl1 = from sample_data_index | `search status=200 action=purchase 
| stats count BY clientip `

$within_spl1 = | `search index=sample_data_index status=200 action=purchase 
| stats count BY clientip`

Some generating commands, such as tstats and mstats, include the ability to specify the index within the command syntax.

In the following example, the SPL search assumes that you want to search the default index, main. In the SPL2 search, there is no default index. You must specify the index in the spl1 command portion of the search.

| tstats prestats=t count  BY _time span=1d | timechart span=1d count

$tstats1 = `| tstats prestats=t count where index=main BY _time span=1d | timechart span=1d count`

When your SPL search contains quotation marks, it is easier to use the spl1 command backtick ( ` ) character syntax. When you use the explicit spl1 command syntax, you must escape the quotation marks.

The following example shows the difference between the backtick ( ` ) character syntax and the explicit spl1 command syntax:

|status=200 action=purchase | stats count AS "Total Purchased"

$quotes1 = from sample_data_index
| `search status=200 action=purchase 
| stats count AS "Total Purchased" `

$quotes2 = from sample_data_index
| spl1 "search status=200 action=purchase 
| stats count AS \"Total Purchased\" "