Compatibility Quick Reference for SPL2 commands

An SPL2 profile maps to a set of SPL2 commands and functions that are used by a given product. See SPL2 compatibility profiles.

The following table shows which SPL2 commands are supported for each product profile:

SPL2 command Description splunkd1
profile		 edge
Processor
profile		 ingest
Processor
profile
addinfo Adds fields to each event. These fields contain global, common information about the search. Yes    
appendcols Appends all of the fields of the subsearch results with the incoming main search results. The subsearch is run first. Yes    
append Appends the results of a subsearch to the current results. This command runs only over historical data and does not produce correct results if used in a real-time search. Yes    
appendpipe Appends the result of the subpipe to the search results. Unlike a subsearch, the subpipe is not run first. The subpipe is run when the search reaches the appendpipe command. Yes    
bin Puts continuous numerical values into discrete sets, or bins. Yes    
branch Processes one set of events or search results, in parallel, in two or more branches. Each branch must end with the into command. Yes Yes Yes
convert Converts field values in your search results into numerical values. Yes    
decrypt Used in Edge Processor or Ingest Processor pipelines to decrypt encrypted data fields before the data reaches its destination.   Yes Yes
dedup Removes the events that contain an identical combination of values for the fields that you specify. Yes    
eval Calculates an expression and puts the resulting value into a search results field. Yes Yes Yes
eventstats Generates summary statistics from fields in your events and saves those statistics into a new field. Yes    
expand Produce a separate result row for each object in an array that is in a field. Yes Yes Yes
fields Keeps or removes fields from search results based on the list of fields that you specify. Yes Yes Yes
fieldsummary Calculates summary statistics for one or more fields in your events, displayed as a results table. Yes    
fillnull Replaces null values with a specified string value. Null values are field values that are missing in some results but present in other results. Yes    
flatten Converts the key-value pairs in the object into separate fields in an event. Flattens only the first level of an object. Yes Yes Yes
from Retrieves data from a dataset, such as an index, metric index, lookup, view, or job.

The from command has a flexible syntax, which enables you to start a search with either the FROM clause or the SELECT clause.

 Yes Yes Yes
head Returns the first search results, in search order, based on the <limit> specified. For historical searches, returns the most recent events. For real-time searches, searches the first captured events. Yes    
into Appends to or replaces the contents of a dataset in the search data pipeline. The dataset must be a writeable dataset, also referred to as a dataset sink. Yes Yes Yes
iplocation Extracts location information from IP addresses by using 3rd-party databases. Supports IPv4 and IPv6 addresses and subnets that use CIDR notation. Yes    
join Combines the results from two datasets by using one or more common fields. Yes    
loadjob Loads the results of a previously completed search job, based on the search job ID (sid). The command must be specified at the beginning of a search. Yes    
lookup Invokes field value lookups. Yes Yes Yes
makemv Converts a single value field into a multivalue field by splitting the values either on a string delimiter or by using a regular expression. You can't use this command on internal fields. Yes    
makeresults Generates the specified number of search results in temporary memory. The results include the _time field. If you don't specify count, one result is generated. Yes    
mstats Analyzes metric data by performing statistics on the measurement, metric_name, and dimension fields in metric indexes. Yes    
mvcombine Takes a group of events that are identical except for the specified field, which contains a single value, and combines those events into a single event. Yes    
mvexpand Expands the values of a multivalue field into separate events, one event for each value in the multivalue field. Yes Yes Yes
nomv Converts the values in a multivalue field into one single value. The values are separated using a new line ( "\n ) delimiter. Yes    
ocsf Converts the data in the _raw field of incoming events to the Open Cybersecurity Schema Framework (OCSF) format.   Yes Yes
rename Renames one or more fields. Yes Yes Yes
replace Replaces field values in your search results with the values that you specify. This command does not replace values in fields generated by stats or eval functions. If you do not specify a field, the value is replaced in all non-generated fields. Yes    
reverse Reverses the order of the search results. Yes    
rex Use to either extract fields using regular expression named groups, or replace or substitute characters in a field using sed expressions. Yes
using PCRE		 Yes
using PCRE		 Yes
using PCRE
route Routes a desired subset of incoming data so that it gets sent to a different destination.   Yes Yes
search Retrieve events from indexes or filter the results of a previous search command in the pipeline. Yes    
select See the from command. The SELECT clause is part of the from command. You can start a search with the SELECT clause. Yes    
sort Sorts all of the results by the specified fields. Yes    
spath Extracts information from the XML and JSON structured data formats. Yes    
spl1 Embed all or part of an SPL search into an SPL2 search. The spl1 command supports 2 syntaxes: backtick ( ` ) character syntax and explicit spl1 command syntax. Yes    
stats Calculates aggregate statistics such as average, count, and sum, over the results set. Yes    
streamstats Adds a cumulative statistical value to each search result as each result is processed. Yes    
table Returns a table that is formed from the fields that you specify. Columns are displayed in the same order that the fields are specified in. Yes    
tags Adds fields to your search results with information about the tags found for those results. To use this command, the tags must already exist. Yes    
thru Writes data to a writeable dataset and then passes the same data to the next command in the search string. By default, the thru command appends data to the dataset. Yes    
timechart Creates a time series chart with corresponding table of statistics. Yes    
timewrap Compare data over a specific time period, such as day-over-day or month-over-month, or multiple time periods, such as a 2 week period over another 2 week period. Yes Yes Yes
tstats Searches on indexed fields in tsidx files using statistical functions. The indexed fields can be from indexed data or accelerated data models. Yes    
typer Creates an eventtype field for search results that match known event types. The event types must already exist to use this command. Yes    
union Merges the results from 2 or more datasets into 1 dataset. The first dataset can be piped into the union command and merged with a second dataset. Yes    
untable Converts tabular information into individual rows of results. The untable command is useful for preparing your data for a chart. Yes    
where Filters search results based on the outcome of a Boolean expression. Yes Yes Yes

1 The splunkd profile is currently used by the Splunk Enterprise SPL2-based app development and the Search tab of the Edge Processor solution.