# Splunk
### SELECT Statements
A SELECT statement can consist of the following basic clauses.
* SELECT
* INTO
* FROM
* JOIN
* WHERE
* GROUP BY
* HAVING
* UNION
* ORDER BY
* LIMIT
### SELECT Syntax
The following syntax diagram outlines the syntax supported by the SQL engine of the provider:
\| SELECT {
\[ TOP \ | DISTINCT ]
{
*
| {
\ \[ \[ AS ] \ ]
| { \ | \ } .*
} \[ , ... ]
}
\[ INTO csv:// \[ filename= ] \ \[ ;delimiter=tab ] ]
{
FROM \ \[ \[ AS ] \ ]
} \[ , ... ]
\[ \[
INNER | { { LEFT | RIGHT | FULL } \[ OUTER ] }
] JOIN \ \[ ON \ ] \[ \[ AS ] \ ]
] \[ ... ]
\[ WHERE \ ]
\[ GROUP BY \ \[ , ... ]
\[ HAVING \ ]
\[ UNION \[ ALL ] \ ]
\[
ORDER BY
\ \[ ASC | DESC ] \[ NULLS FIRST | NULLS LAST ]
]
\[
LIMIT \
\[
{ OFFSET | , }
\
]
]
} | SCOPE\_IDENTITY()
\ ::=
| \
| @ \
| ?
| COUNT( \* | { \[ DISTINCT ] \ } )
| { AVG | MAX | MIN | SUM | COUNT } ( \ )
| NULLIF ( \ , \ )
| COALESCE ( \ , ... )
| CASE \
WHEN { \ | \ } THEN { \ | NULL } \[ ... ]
\[ ELSE { \ | NULL } ]
END
| \
| \
\ ::=
{
\ { = | > | < | >= | <= | <> | != | LIKE | NOT LIKE | IN | NOT IN | IS NULL | IS NOT NULL | AND | OR | CONTAINS | BETWEEN } \[ \ ]
} \[ { AND | OR } ... ]
|
\| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
#### Examples
1. Return all columns:
| `SELECT * FROM DataModels` |
| -------------------------- |
2. Rename a column:
| `SELECT [Owner] AS MY_Owner FROM DataModels` |
| -------------------------------------------- |
3. Cast a column's data as a different data type:
| `SELECT CAST(DatasetLimiting AS VARCHAR) AS Str_DatasetLimiting FROM DataModels` |
| -------------------------------------------------------------------------------- |
4. Search data:
| `SELECT * FROM DataModels WHERE Id = 'SampleDataset'` |
| ----------------------------------------------------- |
5. Return the number of items matching the query criteria:
| `SELECT COUNT(*) AS MyCount FROM DataModels` |
| -------------------------------------------- |
6. Return the number of unique items matching the query criteria:
| `SELECT COUNT(DISTINCT Owner) FROM DataModels` |
| ---------------------------------------------- |
7. Return the unique items matching the query criteria:
| `SELECT DISTINCT Owner FROM DataModels` |
| --------------------------------------- |
8. Summarize data:
| `SELECT Owner, MAX(DatasetLimiting) FROM DataModels GROUP BY Owner` |
| ------------------------------------------------------------------- |
See Aggregate Functions below for details.
9. Retrieve data from multiple tables.
| `SELECT DataModels.Name, Datasets.ObjectName FROM DataModels INNER JOIN Datasets ON DataModels.Id = Datasets.ModelName` |
| ----------------------------------------------------------------------------------------------------------------------- |
See JOIN Queries below for details.
10. Sort a result set in ascending order:
| `SELECT Name, Owner FROM DataModels ORDER BY Owner ASC` |
| -------------------------------------------------------- |
11. Restrict a result set to the specified number of rows:
| `SELECT Name, Owner FROM DataModels LIMIT 10` |
| --------------------------------------------- |
12. Parameterize a query to pass in inputs at execution time. This enables you to create prepared statements and mitigate SQL injection attacks.
| `SELECT * FROM DataModels WHERE Id = @param` |
| -------------------------------------------- |
### Aggregate Functions
#### COUNT
Returns the number of rows matching the query criteria.
| `SELECT COUNT(*) FROM DataModels WHERE Id = 'SampleDataset'` |
| ------------------------------------------------------------ |
#### COUNT(DISTINCT)
Returns the number of distinct, non-null field values matching the query criteria.
| `SELECT COUNT(DISTINCT Name) AS DistinctValues FROM DataModels WHERE Id = 'SampleDataset'` |
| ------------------------------------------------------------------------------------------ |
#### AVG
Returns the average of the column values.
| `SELECT Owner, AVG(DatasetLimiting) FROM DataModels WHERE Id = 'SampleDataset'` `GROUP BY Owner` |
| ------------------------------------------------------------------------------------------------- |
#### MIN
Returns the minimum column value.
| `SELECT MIN(DatasetLimiting), Owner FROM DataModels WHERE Id = 'SampleDataset'` `GROUP BY Owner` |
| ------------------------------------------------------------------------------------------------ |
#### MAX
Returns the maximum column value.
| `SELECT Owner, MAX(DatasetLimiting) FROM DataModels WHERE Id = 'SampleDataset'` `GROUP BY Owner` |
| ------------------------------------------------------------------------------------------------ |
#### SUM
Returns the total sum of the column values.
| `SELECT SUM(DatasetLimiting) FROM DataModels WHERE Id = 'SampleDataset'` |
| ------------------------------------------------------------------------ |
### JOIN Queries
The Provider for Splunk supports standard SQL joins like the following examples.
#### Inner Join
An inner join selects only rows from both tables that match the join condition:
| `SELECT DataModels.Name, Datasets.ObjectName FROM DataModels INNER JOIN Datasets ON DataModels.Id = Datasets.ModelName` |
| ----------------------------------------------------------------------------------------------------------------------- |
#### Left Join
A left join selects all rows in the FROM table and only matching rows in the JOIN table:
| `SELECT DataModels.Name, Datasets.ObjectName FROM DataModels LEFT JOIN Datasets ON DataModels.Id = Datasets.ModelName` |
| ---------------------------------------------------------------------------------------------------------------------- |
### Date Literal Functions
The following date literal functions can be used to filter date fields using relative intervals. Note that while the <, >, and = operators are supported for these functions, <= and >= are not.
#### L\_TODAY()
The current day.
| `SELECT * FROM MyTable WHERE MyDateField = L_TODAY()` |
| ----------------------------------------------------- |
#### L\_YESTERDAY()
The previous day.
| `SELECT * FROM MyTable WHERE MyDateField = L_YESTERDAY()` |
| --------------------------------------------------------- |
#### L\_TOMORROW()
The following day.
| `SELECT * FROM MyTable WHERE MyDateField = L_TOMORROW()` |
| -------------------------------------------------------- |
#### L\_LAST\_WEEK()
Every day in the preceding week.
| `SELECT * FROM MyTable WHERE MyDateField = L_LAST_WEEK()` |
| --------------------------------------------------------- |
#### L\_THIS\_WEEK()
Every day in the current week.
| `SELECT * FROM MyTable WHERE MyDateField = L_THIS_WEEK()` |
| --------------------------------------------------------- |
#### L\_NEXT\_WEEK()
Every day in the following week.
| `SELECT * FROM MyTable WHERE MyDateField = L_NEXT_WEEK()` |
| --------------------------------------------------------- |
Also available:
* L\_LAST/L\_THIS/L\_NEXT MONTH
* L\_LAST/L\_THIS/L\_NEXT QUARTER
* L\_LAST/L\_THIS/L\_NEXT YEAR
#### L\_LAST\_N\_DAYS(n)
The previous n days, excluding the current day.
| `SELECT * FROM MyTable WHERE MyDateField = L_LAST_N_DAYS(3)` |
| ------------------------------------------------------------ |
#### L\_NEXT\_N\_DAYS(n)
The following n days, including the current day.
| `SELECT * FROM MyTable WHERE MyDateField = L_NEXT_N_DAYS(3)` |
| ------------------------------------------------------------ |
Also available:
* L\_LAST/L\_NEXT\_90\_DAYS
#### L\_LAST\_N\_WEEKS(n)
Every day in every week, starting n weeks before current week, and ending in the previous week.
| `SELECT * FROM MyTable WHERE MyDateField = L_LAST_N_WEEKS(3)` |
| ------------------------------------------------------------- |
#### L\_NEXT\_N\_WEEKS(n)
Every day in every week, starting the following week, and ending n weeks in the future.
| `SELECT * FROM MyTable WHERE MyDateField = L_NEXT_N_WEEKS(3)` |
| ------------------------------------------------------------- |
Also available:
* L\_LAST/L\_NEXT\_N\_MONTHS(n)
* L\_LAST/L\_NEXT\_N\_QUARTERS(n)
* L\_LAST/L\_NEXT\_N\_YEARS(n)
### Projection Functions
#### AVG(\[DISTINCT] expression)
Returns the average of the values of field expression.
* expression: The expression to use to compute the average.
#### COUNT(\[DISTINCT] expression)
Returns the number of occurrences of the field expression. To indicate a specific field value to match, format expression as eval(field="value").
* expression: The expression to use to compute the count.
#### EARLIEST(expression)
Returns the chronologically earliest seen value of expression.
* expression: The expression to use to compute the earliest.
#### LATEST(expression)
Returns the chronologically latest seen value of expression.
* expression: The expression to use to compute the latest.
#### MAX(\[DISTINCT] expression)
Returns the maximum value of the field expression. If the values of expression are non-numeric, the max is found from alphabetical ordering.
* expression: The expression to use to compute the max.
#### MEDIAN(expression)
Returns the middle-most value of the field.
* expression: The expression to use to compute the median.
#### MIN(\[DISTINCT] expression)
Returns the minimum value of the field expression. If the values of expression are non-numeric, the min is found from alphabetical ordering.
* expression: The expression to use to compute the min.
#### MODE(expression)
Returns the most frequent value of the field expression.
* expression: The expression to use to compute the mode.
#### RANGE(expression)
Returns the difference between the max and min values of the field expression.
* expression: The expression to use to compute the range.
#### SUM(\[DISTINCT] expression)
Returns the sum of the values of the field expression.
* expression: The expression to use to compute the sum.
#### SUMSQ(expression)
Returns the sum of the squares of the values of the field expression.
* expression: The expression to use to compute the sum of the squares.
#### STDEV(expression)
Returns the sample standard deviation of the field expression.
* expression: The expression to use to compute the sum of the STDEV.
#### STDEVP(expression)
Returns the population standard deviation of the field expression.
* expression: The expression to use to compute the sum of the STDEVP.
#### VAR(expression)
Returns the sample variance of the field expression.
* expression: The expression to use to compute the sum of the VAR.
#### VARP(expression)
Returns the population variance of the field expression.
* expression: The expression to use to compute the sum of the VARP.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.appstrategy.com/apprules-r-documentation/platform/platform-features/system-settings/data-sources/sql-compliance/aimachinelearning/splunk.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.