Important SPL Commands Quick Reference

Command Function Example Description

search Filters results based | search product_name = From the results,
on search “Dream Crusher” display events
expression where
product_name is
“Dream Crusher”
fields Keeps or removes | fields - count Removes the field
fields from the count from search
search results results
rename Rename fields | rename count AS “Total Renames the filed
Transactions” count to “Total
Transactions”
stats Produces statistics | stats avg(responseTime) Calculates the
from the search average response
results time
timechart Plots statistics with | timechart count Plots the number of
time in X axis events over time
eval Creates a new field | eval kb = bytes/1024 Creates a new field
based on an kb by calculating
expression bytes/1024
dedup Removes duplicate | dedup vendorId Removes identical
values values of vendorId
field
rex Uses regular | rex "(?<exception>java\. Extracts java
expressions to [^\s]+)" exceptions into a
extract fields field named
exception.
table Returns a table with | table host,source Returns a table with
the fields you the columns host
specify and source from
the search results
convert Converts field | convert ctime(_indextime) Coverts the Unix
values into specified AS IndexTime_readable Time value in
numerical values _indextime field
into human
readable form
metadata Returns information | metadata type=hosts Returns information
about index=myIndex like firstTime,
source,sourcetype lastTime and
and host from an totalCount for the
index hosts in myIndex
where Uses eval | where avgheap > Returns events
expressions to filter thereshold where avgheap is
search results more than
threshold
append Performs a | append [ search Appends results of
subsearch and index=myIndex the subsearch into
appends the results log_level=FATAL ] main search
of into main search
join Merge results of a | join host [ search Combines results
subsearch with index=myIndex] from subsearch into
main search based the main search
on join fields where the host field
matches
head Returns the first N | head 15 Returns the 15
number of events in most recent events
search order
reverse Reverses the order | reverse Reverse the order
of the results of the results so the
oldest data shows
first
tail Returns the last N | tail 20 Returns the 20
number of events in oldest events
search order
top Returns the most | top 5 host Returns the top 5
common values of hosts based on the
the specified field number of events
transaction Groups event based | transaction JSESSIONID Groups events by
on constraints JSESSIONID
fillnull Replaces null values | fillnull value=”NA” Replaces null values
with specified field with the string “NA”
collect Adds results to a | collect index=myStats Stores the search
summary index results in an index
named myStats
multikv Extracts field values | multikv fields pid From the search
from table command results, extract pid
formatted events and command
fields.
regex Using regular | regex zip=”\d{5}” Keeps only events
expression removes with valid 5 digit zip
results that do not code
match
lookup Invokes field | lookup prices.csv Retrieves column
lookups on the productId values from
 specified lookup prices.csv where
table productId matches
the event data
inputlookup Retrieves the | inputlookup prices.csv Display the
content of a lookup contents of
table prices.csv
outputlookup Write results to a | outputlookup Write search results
lookup table products.csv to the lookup table
products.csv
spath Extracts fields from | spath output=message Extracts value from
structured data such path=rec.log.msg the JSON path
as JSON and XML rec.log.msg and
writes to the field
message
xmlkv Extracts key-value | xmlkv Creates key-value
pairs from XML data pairs from search
results that are
valid XML events
addtotals Sums up all | addtotals Add all the
numerical fields in a numerical fields and
search result and store the result in
stores the total in a the Total field.
new field
tstats Queries indexed | tstats count FROM Returns count from
fields and datamodel=orders the data model
accelerated data orders.
models