spl1 command: Overview, syntax, and usage

The spl1 command embeds all or part of an SPL search into an SPL2 search. There are some limitations using this command. See the Usage section.

Use these links to quickly navigate to the main sections in this topic:

How the SPL2 spl1 command works

Use the SPL2 spl1 command when a command is not supported in SPL2.

For example, while the makeresults command is not supported in SPL2 you can use the spl1 command to run a search with the makeresults command:

Version Example
SPL search 
makeresults count=3
SPL2 search 
$makeresults1 = `makeresults count=3`

This search uses the spl1 command backtick ( ` ) character syntax.

SPL2 search 
$makeresults2 = | spl1 "makeresults count=3"

This search uses the explicit spl1 command syntax.

In SPL, the default index is main and when you run a search, the search is run against the main index. However, there is no default index in SPL2. To run a search against a specific index, you must specify that index.

Here's an example:

Version Example
SPL search 
error OR http_code=404

This search looks for the term error and the field-value pair http_code=404 in the default index, main.

SPL2 search 
$error1 = from main | `search error OR http_code=404`

There is no default dataset with SPL2. The easiest way to identify the dataset is with the SPL2 from command. This search uses the spl1 command backtick ( ` ) character syntax.

SPL2 search 
$error2 = from main | spl1 "search error OR http_code=404"

This is the same search using the explicit spl1 command syntax.|-

SPL2 search 
$error3 = `search index=main error OR http_code=404`

Alternatively, you can add the index to the search command.

Syntax

The spl1 command supports 2 syntaxes.

Backtick character syntax

Enclose the SPL search in backtick ( ` ) characters. The syntax is:

`<SPL-search>`

Explicit spl1 command syntax

Use the spl1 command explicitly and enclose the SPL search in double quotation marks. The syntax is:

spl1 "<SPL-search>"

Usage

You use the spl1 command to include SPL searches, or parts of searches, in your SPL2 searches. The spl1 command enables you to use SPL commands that are not directly supported with SPL2.

SPL commands supported with the spl1 command

In SPL2 searches, you can use the following SPL commands with the spl1 command:

Commands

actions

addinfo

append

appendcol

apply

bin

cluster

convert

dedup

eval

eventsingest

eventstats

fields

fieldsummary

fillnull

fit

foreach

head

inputlookup

iplocation

join

lookup

makeresults

mcatalog

metadata

metricsingest

mstats

mvcombine

mvexpand

multireport

noop

outputlookup

regex

rename

reverse

rex

savedsearch

search

selfjoin

sistats

sort

spath

stats

streamstats

table

tags

tail

timechart

timeliner

timewrap

transaction

tstats

tojson

top

typer

untable

union

where

xyseries

Searches that use the implied search command

For some SPL searches, you must add the search command when you use the spl1 command.

In the SPL, the search command is implied at the beginning of some searches, such as searches that start with a keyword or a field-value pair. Unless your SPL search begins with a generating command like inputlookup, makeresults, mstats, or tstats, you must include the search command when you use the spl1 command. See spl1 command examples.

When to include the index in your search

In an SPL2 search, there is no default index. You must specify the index that you want to search either before or within the spl1 command portion of the search. See spl1 command examples.

Searches that contain quotation marks

When your SPL search contains quotation marks, it is easier to use the spl1 command backtick ( ` ) character syntax. When you use the explicit spl1 command syntax, you must escape the quotation marks. See spl1 command examples.

Searches with macros or subsearches

You cannot use the spl1 command with SPL searches that contain macros or subsearches.