Splunk
Last updated
Last updated
A SELECT statement can consist of the following basic clauses.
SELECT
INTO
FROM
JOIN
WHERE
GROUP BY
HAVING
UNION
ORDER BY
LIMIT
The following syntax diagram outlines the syntax supported by the SQL engine of the provider:
Return all columns:
Rename a column:
Cast a column's data as a different data type:
Search data:
Return the number of items matching the query criteria:
Return the number of unique items matching the query criteria:
Return the unique items matching the query criteria:
Summarize data:
See Aggregate Functions below for details.
Retrieve data from multiple tables.
See JOIN Queries below for details.
Sort a result set in ascending order:
Restrict a result set to the specified number of rows:
Parameterize a query to pass in inputs at execution time. This enables you to create prepared statements and mitigate SQL injection attacks.
Returns the number of rows matching the query criteria.
Returns the number of distinct, non-null field values matching the query criteria.
Returns the average of the column values.
Returns the minimum column value.
Returns the maximum column value.
Returns the total sum of the column values.
The Provider for Splunk supports standard SQL joins like the following examples.
An inner join selects only rows from both tables that match the join condition:
A left join selects all rows in the FROM table and only matching rows in the JOIN table:
The following date literal functions can be used to filter date fields using relative intervals. Note that while the <, >, and = operators are supported for these functions, <= and >= are not.
The current day.
The previous day.
The following day.
Every day in the preceding week.
Every day in the current week.
Every day in the following week.
Also available:
L_LAST/L_THIS/L_NEXT MONTH
L_LAST/L_THIS/L_NEXT QUARTER
L_LAST/L_THIS/L_NEXT YEAR
The previous n days, excluding the current day.
The following n days, including the current day.
Also available:
L_LAST/L_NEXT_90_DAYS
Every day in every week, starting n weeks before current week, and ending in the previous week.
Every day in every week, starting the following week, and ending n weeks in the future.
Also available:
L_LAST/L_NEXT_N_MONTHS(n)
L_LAST/L_NEXT_N_QUARTERS(n)
L_LAST/L_NEXT_N_YEARS(n)
Returns the average of the values of field expression.
expression: The expression to use to compute the average.
Returns the number of occurrences of the field expression. To indicate a specific field value to match, format expression as eval(field="value").
expression: The expression to use to compute the count.
Returns the chronologically earliest seen value of expression.
expression: The expression to use to compute the earliest.
Returns the chronologically latest seen value of expression.
expression: The expression to use to compute the latest.
Returns the maximum value of the field expression. If the values of expression are non-numeric, the max is found from alphabetical ordering.
expression: The expression to use to compute the max.
Returns the middle-most value of the field.
expression: The expression to use to compute the median.
Returns the minimum value of the field expression. If the values of expression are non-numeric, the min is found from alphabetical ordering.
expression: The expression to use to compute the min.
Returns the most frequent value of the field expression.
expression: The expression to use to compute the mode.
Returns the difference between the max and min values of the field expression.
expression: The expression to use to compute the range.
Returns the sum of the values of the field expression.
expression: The expression to use to compute the sum.
Returns the sum of the squares of the values of the field expression.
expression: The expression to use to compute the sum of the squares.
Returns the sample standard deviation of the field expression.
expression: The expression to use to compute the sum of the STDEV.
Returns the population standard deviation of the field expression.
expression: The expression to use to compute the sum of the STDEVP.
Returns the sample variance of the field expression.
expression: The expression to use to compute the sum of the VAR.
Returns the population variance of the field expression.
expression: The expression to use to compute the sum of the VARP.
SELECT {
[ TOP <numeric_literal> | DISTINCT ]
{
*
| {
<expression> [ [ AS ] <column_reference> ]
| { <table_name> | <correlation_name> } .*
} [ , ... ]
}
[ INTO csv:// [ filename= ] <file_path> [ ;delimiter=tab ] ]
{
FROM <table_reference> [ [ AS ] <identifier> ]
} [ , ... ]
[ [
INNER | { { LEFT | RIGHT | FULL } [ OUTER ] }
] JOIN <table_reference> [ ON <search_condition> ] [ [ AS ] <identifier> ]
] [ ... ]
[ WHERE <search_condition> ]
[ GROUP BY <column_reference> [ , ... ]
[ HAVING <search_condition> ]
[ UNION [ ALL ] <select_statement> ]
[
ORDER BY
<column_reference> [ ASC | DESC ] [ NULLS FIRST | NULLS LAST ]
]
[
LIMIT <expression>
[
{ OFFSET | , }
<expression>
]
]
} | SCOPE_IDENTITY()
<expression> ::=
| <column_reference>
| @ <parameter>
| ?
| COUNT( * | { [ DISTINCT ] <expression> } )
| { AVG | MAX | MIN | SUM | COUNT } ( <expression> )
| NULLIF ( <expression> , <expression> )
| COALESCE ( <expression> , ... )
| CASE <expression>
WHEN { <expression> | <search_condition> } THEN { <expression> | NULL } [ ... ]
[ ELSE { <expression> | NULL } ]
END
| <literal>
| <sql_function>
<search_condition> ::=
{
<expression> { = | > | < | >= | <= | <> | != | LIKE | NOT LIKE | IN | NOT IN | IS NULL | IS NOT NULL | AND | OR | CONTAINS | BETWEEN } [ <expression> ]
} [ { AND | OR } ... ]
SELECT * FROM DataModels
SELECT [Owner] AS MY_Owner FROM DataModels
SELECT CAST(DatasetLimiting AS VARCHAR) AS Str_DatasetLimiting FROM DataModels
SELECT * FROM DataModels WHERE Id = 'SampleDataset'
SELECT COUNT(*) AS MyCount FROM DataModels
SELECT COUNT(DISTINCT Owner) FROM DataModels
SELECT DISTINCT Owner FROM DataModels
SELECT Owner, MAX(DatasetLimiting) FROM DataModels GROUP BY Owner
SELECT DataModels.Name, Datasets.ObjectName FROM DataModels INNER JOIN Datasets ON DataModels.Id = Datasets.ModelName
SELECT Name, Owner FROM DataModels ORDER BY Owner ASC
SELECT Name, Owner FROM DataModels LIMIT 10
SELECT * FROM DataModels WHERE Id = @param
SELECT COUNT(*) FROM DataModels WHERE Id = 'SampleDataset'
SELECT COUNT(DISTINCT Name) AS DistinctValues FROM DataModels WHERE Id = 'SampleDataset'
SELECT Owner, AVG(DatasetLimiting) FROM DataModels WHERE Id = 'SampleDataset' GROUP BY Owner
SELECT MIN(DatasetLimiting), Owner FROM DataModels WHERE Id = 'SampleDataset' GROUP BY Owner
SELECT Owner, MAX(DatasetLimiting) FROM DataModels WHERE Id = 'SampleDataset' GROUP BY Owner
SELECT SUM(DatasetLimiting) FROM DataModels WHERE Id = 'SampleDataset'
SELECT DataModels.Name, Datasets.ObjectName FROM DataModels INNER JOIN Datasets ON DataModels.Id = Datasets.ModelName
SELECT DataModels.Name, Datasets.ObjectName FROM DataModels LEFT JOIN Datasets ON DataModels.Id = Datasets.ModelName
SELECT * FROM MyTable WHERE MyDateField = L_TODAY()
SELECT * FROM MyTable WHERE MyDateField = L_YESTERDAY()
SELECT * FROM MyTable WHERE MyDateField = L_TOMORROW()
SELECT * FROM MyTable WHERE MyDateField = L_LAST_WEEK()
SELECT * FROM MyTable WHERE MyDateField = L_THIS_WEEK()
SELECT * FROM MyTable WHERE MyDateField = L_NEXT_WEEK()
SELECT * FROM MyTable WHERE MyDateField = L_LAST_N_DAYS(3)
SELECT * FROM MyTable WHERE MyDateField = L_NEXT_N_DAYS(3)
SELECT * FROM MyTable WHERE MyDateField = L_LAST_N_WEEKS(3)
SELECT * FROM MyTable WHERE MyDateField = L_NEXT_N_WEEKS(3)