SPL2 views
An SPL2 view is a named SPL2 search that has been exported from a module. You can use the views exported from one module in other modules.
How are views related to searches?
Consider the following SPL2 search statement:
$countByHost = from main | stats count() by hostThe $countByHost search returns a list of the host values in ascending order. For each host, a count is returned. The count is the number of events in the main index with that host value.
- The search name is
$countByHost. - The search is
from main | stats count() by host.
The search name is a variable, as designated by the dollar sign ( $ ). You can use the results of one search as the dataset for another, subsequent search in your module. This is referred to as branching a search.
In the following example, the $countByHost search is used as the dataset for the $tophosts search:
$countByHost = from main | stats count() by host
$tophosts = from $countByHost | sort - count | head 3To use the results of a search from one module in different module, you need to create a view by exporting the search from the source module. The view can then be used as a dataset in other modules.
The view name is the same as the search name.
A view consists of a name and definition. The view definition is the piece of reusable SPL2. As shown in the following image, the search is the view definition:
Why views are so useful
Views are similar to macros. With views, you can filter out data that you don't want to use or that you don't want other users to have access to.
Filter search example
You can filter out events or fields from your data and create a view of the filtered data.
The following example shows 2 modules where a view from one module is used as a dataset in another module.
The first module contains a search that filters the events based on a a field value. In this example the search returns only successful events from an index. The search is exported to create a view called happy_events.
module1
$happy_events = from main where status=200
export $happy_events
The second module imports the happy_events view and uses it as the dataset in another search.
module2
import happy_events from ~/users.<user_name>.apps.'search'/module1
$host_www3 = from happy_events
where categoryId LIKE("S%") AND host="www3"
select _time, action, productId, categoryIdYou can also filter out entire fields from an index to create a view with only the fields you specify.
_time, host, action, status, and categoryId.
$filtered_data= from main select _time, host, action, status, categoryId
export $filtered_data
Mask search example
You can create a view to mask out sensitive data in a field so that the data is not exposed in search results. Creating view with masked data enables you to share the masked data without giving others access to the underlying index.
| host | clientip | status | action |
|---|---|---|---|
| www1 | 182.236.164.11 | 200 | purchase |
| www3 | 211.245.24.3 | 200 | addtocart |
| www2 | 91.205.189.15 | 503 | purchase |
You can mask out the sensitive data in the clientip field and export the search to create a view with the masked data.
There are several ways to mask out data. You can create a custom command function, use a cryptographic function, or as show in the following example, the replace function.
$mask_IP_addresses = from main where like(sourcetype, "access_%")
| select host, clientip, status, action
| eval clientip=replace(clientip, /\S/, "X")
export $mask_IP)addresses| host | clientip | status | action |
|---|---|---|---|
| www1 | XXXXXXXXXXXXXX | 200 | purchase |
| www3 | XXXXXXXXXXXX | 200 | addtocart |
| www2 | XXXXXXXXXXXXX | 503 | purchase |
Pipeline example
A pipeline is a special type of SPL2 search statement used with the Splunk Edge Processor solution and Splunk Ingest Processor solution. When run, an SPL2 pipeline processes data and either drops or sends the data instead of returning search results. Pipelines specify what data to process, how to process it, and what destination to send the processed data to.
Suppose you have a situation where you don't want to use a pipeline to send data from a source dataset directly into a destination dataset. You want to filter the dataset, using the same filter on multiple source datasets, before the data goes into a destination dataset.
You can create a view that performs the filtering steps and reuse that view on different pipelines.
Here is a view that performs a filter:
$myfilter = | select a, b | eval c = "darat" | into mystore
You can call this view in a pipeline:
$pipeline = | from [{a,b,c,d,e}] | into $myfilter