thru command: Examples
The following are examples for using the SPL2 thru command.
1. Append all of the search results to a dataset
This example appends all the incoming search result set to the actions dataset. Those same search results are also passed into the eval command.
... | thru actions | eval field=<expression>2. Replace all of the search results in a dataset
In this example, all of the existing data in the customers dataset is replaced by the incoming search result set. Those same search results are passed into the eval command.
... | thru mode=replace customers | eval field=<expression>3. Pipeline example
This example shows how to use the thru command in a pipeline.
Use the thru command when you want to process or route the same set of data in 2 distinct ways. The thru command makes an unaltered copy of the data.
The thru command:
- Creates an additional path in the pipeline.
- Copies all of the incoming data in the pipeline.
- Sends the copied data to the newly created path.
Process or send the same set of pipeline data in 2 distinct ways
The following example adds a field after the thru command and sends an unaltered copy of the incoming data to an Amazon S3 bucket. With the other copy of the data, the ip_address field is masked and the masked data is sent to an index named cisco_syslog on the Splunk platform:
$pipeline = | from $source
| thru
[
| eval tag = "not masked"
| into $amazon_s3_bucket_destination
]
| eval ip_address = sha256(ip_address)
| eval index = "cisco_syslog"
| into $splunk_destination
See also
thru command
Pipelines
Edge Processor pipeline syntax in the Use Edge Processors manual
Ingest Processor pipeline syntax in the Use Ingest Processors manual