This topic describes how to use SPL datasets and provides examples.
Categories
Named datasets
The .let instruction defines a named dataset. The dataset is then used as input for subsequent Structured Process Language (SPL) expressions and referenced with the $ symbol.
Unnamed datasets
An SPL expression that does not use the .let instruction produces an unnamed dataset. The result is output directly.
Examples
The following SPL example produces the following outputs:
Named dataset: The named dataset 'valid' contains data where the mode field has a value of 'a'.
Unnamed dataset: The unnamed dataset contains data that either does not contain the mode field or contains it with a value of 'b'.
-- Filter for data that does not contain the mode field. This generates an unnamed dataset and is output directly.
*
| where mode is null;
-- Filter for data that contains the mode field and define it as the named dataset 'src'. This is not output.
.let src = *
| where mode is not null;
-- Use the named dataset 'src' as input. Define the result as the dataset 'valid'. This is not output.
.let valid = $src
| where mode = 'a'
| parse-regexp content, '(\S+)\s+(\S+)\s+(\S+)' as x, y, z
| project x, y, z;
-- Output the named dataset 'valid'.
$valid;
-- Use the named dataset 'src' as input. This generates an unnamed dataset and is output directly.
$src
| where mode = 'b'
| parse-csv content as u, v
| project u, v;