This topic describes how to use control instructions and provides examples.
.let
Defines a named dataset to use as input for subsequent Structured Process Language (SPL) expressions. For more information about SPL datasets, see SPL datasets.
Syntax
.let <dataset>=<spl-expr>Parameters
Parameter | Type | Required | Description |
dataset | String | Yes | The name of the dataset. The name can contain letters, digits, and underscores (_). It must start with a letter and is case-sensitive. |
spl-expr | SPLExp | Yes | The SPL expression that generates the dataset. |
Example
Filter and classify access logs by status code and output the results.
SPL statement
-- Define the SPL processing result as the named dataset 'src' to use as input for subsequent SPL expressions. .let src = * | where status=cast(status as BIGINT); -- Use the named dataset 'src' as input. Filter for data where the status field is 5xx. Define the result as the dataset 'err'. Do not output the result. .let err = $src | where status >= 500 | extend msg='ERR'; -- Use the named dataset 'src' as input. Filter for data where the status field is 2xx. Define the result as the dataset 'ok'. Do not output the result. .let ok = $src | where status >= 200 and status < 300 | extend msg='OK'; -- Output the named datasets 'err' and 'ok'. $err; $ok;Input data
# Entry 1 status: '200' body: 'this is a test' # Entry 2 status: '500' body: 'internal error' # Entry 3 status: '404' body: 'not found'Output
# Entry 1: Dataset is 'err' status: '500' body: 'internal error' msg: 'ERR' # Entry 2: Dataset is 'ok' status: '200' body: 'this is a test' msg: 'OK'