Compatibility Quick Reference for SPL2 commands
An SPL2 profile maps to a set of SPL2 commands and functions that are used by a given product. See SPL2 compatibility profiles.
The following table shows which SPL2 commands are supported for each product profile:
| SPL2 Command | Description | splunkd 1profile | edgeProcessorprofile | ingestProcessorprofile |
|---|---|---|---|---|
| bin | Puts continuous numerical values into discrete sets, or bins. | Yes | ||
| branch | Processes one set of events or search results, in parallel, in two or more branches. Each branch must end with the into command. | Yes | Yes | Yes |
| dedup | Removes the events that contain an identical combination of values for the fields that you specify. | Yes | ||
| eval | Calculates an expression and puts the resulting value into a search results field. | Yes | Yes | Yes |
| eventstats | Generates summary statistics from fields in your events and saves those statistics into a new field. | Yes | ||
| expand | Produce a separate result row for each object in an array that is in a field. | Yes | Yes | Yes |
| fields | Keeps or removes fields from search results based on the list of fields that you specify. | Yes | Yes | Yes |
| fieldsummary | Calculates summary statistics for one or more fields in your events, displayed as a results table. | Yes | ||
| flatten | Converts the key-value pairs in the object into separate fields in an event. Flattens only the first level of an object. | Yes | Yes | Yes |
| from | Retrieves data from a dataset, such as an index, metric index, lookup, view, or job. The | Yes | Yes | Yes |
| head | Returns the first search results, in search order, based on the <limit> specified. For historical searches, returns the most recent events. For real-time searches, searches the first captured events. | Yes | ||
| into | Appends to or replaces the contents of a dataset in the search data pipeline. The dataset must be a writeable dataset, also referred to as a dataset sink. | Yes | Yes | Yes |
| join | Combines the results from two datasets by using one or more common fields. | Yes | ||
| lookup | Invokes field value lookups. | Yes | Yes | Yes |
| mvexpand | Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. | Yes | Yes | Yes |
| ocsf | Converts the data in the _raw field of incoming events to the Open Cybersecurity Schema Framework (OCSF) format. | Yes | Yes | |
| rename | Renames one or more fields. | Yes | Yes | Yes |
| reverse | Reverses the order of the search results. | Yes | ||
| rex | Use to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions. | Yes using PCRE | Yes using PCRE | Yes using PCRE |
| route | Routes a desired subset of incoming data so that it gets sent to a different destination. | Yes | Yes | |
| search | Retrieve events from indexes or filter the results of a previous search command in the pipeline. | Yes | ||
| select | See the from command. The SELECT clause is part of the from command. You can start a search with the SELECT clause. | Yes | ||
| sort | Sorts all of the results by the specified fields. | Yes | ||
| spl1 | Embed all or part of an SPL search into an SPL2 search. The spl1 command supports two syntaxes: backtick ( ` ) character syntax and explicit spl1 command syntax. | Yes | ||
| stats | Calculates aggregate statistics such as average, count, and sum, over the results set. | Yes | ||
| streamstats | Adds a cumulative statistical value to each search result as each result is processed. | Yes | ||
| thru | Writes data to a writeable dataset and then passes the same data to the next command in the search string. By default, the thru command appends data to the dataset. | Yes | Yes | Yes |
| timechart | Creates a time series chart with corresponding table of statistics. | Yes | ||
| timewrap | Compare data over a specific time period, such as day-over-day or month-over-month, or multiple time periods, such as a two week period over another two week period. | Yes | ||
| union | Merges the results from two or more datasets into one dataset. One dataset can be piped into the union command and merged with a second dataset. | Yes | ||
| where | Filters search results based on the outcome of a Boolean expression. | Yes | Yes | Yes |
1 The splunkd profile is currently used by the Splunk Enterprise SPL2-based app development beta and the Search tab of the Edge Processor solution.
See also
Additional compatibility information
Edge Processor information
Ingest Processor information