Compatibility Quick Reference for SPL2 commands
An SPL2 profile maps to a set of SPL2 commands and functions that are used by a given product. See SPL2 compatibility profiles.
The following table shows which SPL2 commands are supported for the Edge Processor on Enterprise.
| SPL2 Command | Description |
|---|---|
| branch | Processes one set of events or search results, in parallel, in two or more branches. Each branch must end with the into command. |
| eval | Calculates an expression and puts the resulting value into a search results field. |
| expand | Produce a separate result row for each object in an array that is in a field. |
| fields | Keeps or removes fields from search results based on the list of fields that you specify. |
| flatten | Converts the key-value pairs in the object into separate fields in an event. Flattens only the first level of an object. |
| from | Retrieves data from a dataset, such as an index, metric index, lookup, view, or job. The |
| into | Appends to or replaces the contents of a dataset in the search data pipeline. The dataset must be a writeable dataset, also referred to as a dataset sink. |
| lookup | Invokes field value lookups. |
| mvexpand | Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. |
| rename | Renames one or more fields. |
| rex | Use to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions. |
| route | Routes a desired subset of incoming data so that it gets sent to a different destination. |
| thru | Writes data to a writeable dataset and then passes the same data to the next command in the search string. By default, the thru command appends data to the dataset. |
| where | Filters search results based on the outcome of a Boolean expression. |