The hierarchy depends on whether you start the FROM clause or the SELECT clause.ġ. You can skip clauses, but the clauses you use when building or editing a pipeline must follow the hierarchy. There is a hierarchy to the from function clauses. When you specify the WHERE or SELECT optional arguments with the FROM clause, the builds a pipeline that includes the Select and Where functions. Alternatively, instead of using the SELECT clause, you can also choose to use the Select function downstream in your pipeline. See Types of expressions in the SPL2 Search Manual. Security Content Library Find security content for Splunk Cloud and Splunk's SIEM and SOAR offerings and deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. ] Description: Use the SELECT clause to assign alternative names to fields or apply scalar functions to a group of fields. Explore security use cases and discover security content to start address threats and challenges. Alternatively, instead of using the WHERE clause, you can also choose to use the Where function downstream in your pipeline. The WHERE clause does not support wildcards in the, except for the percent sign ( % ) with the LIKE operator. For information about and examples of the types of predicate expressions you can specify, see Predicate expressions in the SPL2 Search Manual. When specifying multiple predicate expressions, you must specify a logical operator between the expressions. The WHERE clauses uses predicate expressions to filter your data by narrowing down the records based on specified criteria. Optional arguments WHERE Syntax: WHERE Description: Use the WHERE clause to filter the incoming data. For a list of available source functions, see source functions. ] Required arguments source_function Syntax: Description: The source function to retrieve the data from. See "Order of clauses" on this page.įROM ). Regardless of which clause you use to start a pipeline with, to use the optional clauses you must specify the clauses in a specific hierarchical order. The only difference between the two is that one starts with FROM and the other starts with SELECT. WHERE match_regex(cast(map_get(attributes, "syslog_message"), "string"), /.*teardown.*outside.*inside/i) WHERE match_regex(cast(map_get(attributes, "syslog_message"), "string"), /.*teardown.*outside.*inside/i)Ĭast(map_get(attributes, "syslog_message"), "string") AS syslog_message, For example, these two SPL2 strings are identical and build the exact same pipeline: The from function has a flexible syntax, which enables you to start building a pipeline with either the FROM or the SELECT clause. The from function has optional clauses to filter and project the data that you can specify within the from function, or you can filter and project the data by using the streaming functions instead. Ī special function used in the SPL2 Pipeline Builder to retrieve data from a specific source function. This topic describes how to use the function in the.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |