Using SPL command functions
To use the SPL command functions, you must first import the functions into a module. See Importing SPL command functions.
After the command functions are imported, you can use the functions in the searches in that module. There are two types of command functions: generating and non-generating:
- Generating commands are invoked at the beginning of a search
- Non-generating commands are invoked after the first command in a search
Generating command functions
To use a generating command function in an SPL2 module, specify pipe character ( | ), then the name of the function and the values for the function parameters.
Here are a few examples:
| makeresults count=4 <parameters>| tstats aggregates=[count()] byfields=[source]Non-generating command functions
For non-generating command functions, you use the function after you specify the dataset.
You can use both SPL2 commands and SPL command functions in the same search. For example, in the following search the SPL2 from, dedup, and eval commands are used to search for IP addresses in the events and to classify the network that the addresses belong to. The table command function is used at the end of a search to display the search results:
from sample_events
| dedup clientip
| eval network=if(cidrmatch("108.65.0.0/16", clientip), "local", "other")
| table clientip, networkSee also
Related information