Splunk to Axiom Processing Language (APL) Conversion Reference
Splunk and Axiom data Explorer are powerful tools for log analysis and data exploration. The data explorer interface uses Axiom Processing Language (APL). There are some differeces between the query languages for Splunk and Axiom. When transitioning from Splunk to APL, you will need to understand how to convert your Splunk SPL queries into APL.
This guide provides a high-level mapping from Splunk to APL.
Basic Searching
Splunk uses a search command for basic searching, while in APL, simply specify the dataset name followed by a filter.
Splunk:
search index="myIndex" errorAPL:
['myDatasaet']
| where FieldName contains “error”Filtering
In Splunk, perform filtering using the search command, usually specifying field names and their desired values. In APL, perform filtering by using the where operator.
Splunk:
Search index=”myIndex” error
| stats countAPL:
['myDataset']
| where fieldName contains “error”
| countAggregation
In Splunk, the stats command is used for aggregation. In APL, perform aggregation using the summarize operator.
Splunk:
search index="myIndex"
| stats count by statusAPL:
['myDataset']
| summarize count() by statusTime Frames
In Splunk, select a time range for a search in the time picker on the search page. In APL, filter by a time range using the where operator and the timespan field of the dataset.
Splunk:
search index="myIndex" earliest=-1d@d latest=nowAPL:
['myDataset']
| where _time >= ago(1d) and _time <= now()Sorting
In Splunk, the sort command is used to order the results of a search. In APL, perform sorting by using the sort by operator.
Splunk:
search index="myIndex"
| sort - content_typeAPL:
['myDataset']
| sort by countent_type descSelecting Fields
In Splunk, use the fields command to specify which fields to include or exclude in the search results. In APL, use the project operator, project-away operator, or the project-keep operator to specify which fields to include in the query results.
Splunk:
index=main sourcetype=mySourceType
| fields status, responseTimeAPL:
['myDataset']
| extend newName = oldName
| project-away oldNameRenaming Fields
In Splunk, rename fields using the rename command, while in APL rename fields using the extend, and project operator. Here is the general syntax:
Splunk:
index="myIndex" sourcetype="mySourceType"
| rename oldFieldName AS newFieldNameAPL:
['myDataset']
| where method == "GET"
| extend new_field_name = content_type
| project-away content_typeCalculated Fields
In Splunk, use the eval command to create calculated fields based on the values of other fields, while in APL use the extend operator to create calculated fields based on the values of other fields.
Splunk
search index="myIndex"
| eval newField=field1+field2APL:
['myDataset']
| extend newField = field1 + field2Structure and Concepts
The following table compares concepts and data structures between Splunk and APL logs.
| Concept | Splunk | APL | Comment |
|---|---|---|---|
| data caches | buckets | caching and retention policies | Controls the period and caching level for the data.This setting directly affects the performance of queries. |
| logical partition of data | index | dataset | Allows logical separation of the data. |
| structured event metadata | N/A | dataset | Splunk doesn’t expose the concept of metadata to the search language. APL logs have the concept of a dataset, which has fields and columns. Each event instance is mapped to a row. |
| data record | event | row | Terminology change only. |
| types | datatype | datatype | APL data types are more explicit because they are set on the fields. Both have the ability to work dynamically with data types and roughly equivalent sets of data types. |
| query and search | search | query | Concepts essentially are the same between APL and Splunk |
Functions
The following table specifies functions in APL that are equivalent to Splunk Functions.
| Splunk | APL |
|---|---|
| strcat | strcat() |
| split | split() |
| if | iff() |
| tonumber | todouble(), tolong(), toint() |
| upper, lower | toupper(), tolower() |
| replace | replace_string() or replace_regex() |
| substr | substring() |
| tolower | tolower() |
| toupper | toupper() |
| match | matches regex |
| regex | matches regex (in splunk, regex is an operator. In APL, it’s a relational operator.) |
| searchmatch | == (In splunk, searchmatch allows searching the exact string.) |
| random | rand(), rand(n) (Splunk’s function returns a number between zero to 231 -1. APL returns a number between 0.0 and 1.0, or if a parameter is provided, between 0 and n-1.) |
| now | now() |
In Splunk, the function is invoked by using the eval operator. In APL, it’s used as part of the extend or project.
In Splunk, the function is invoked by using the eval operator. In APL, it can be used with the where operator.
Filter
APL log queries start from a tabular result set in which a filter is applied. In Splunk, filtering is the default operation on the current index. You may also use the where operator in Splunk, but we don't recommend it.
| Product | Operator | Example |
|---|---|---|
| Splunk | search | Sample.Logs="330009.2" method="GET" _indextime>-24h |
| APL | where | ['sample-http-logs'] | where method == "GET" and _time > ago(24h) |
Get n events or rows for inspection
APL log queries also support take as an alias to limit. In Splunk, if the results are ordered, head returns the first n results. In APL, limit isn’t ordered, but it returns the first n rows that are found.
| Product | Operator | Example |
|---|---|---|
| Splunk | head | Sample.Logs=330009.2 | head 100 |
| APL | limit | ['sample-htto-logs'] | limit 100 |
Get the first n events or rows ordered by a field or column
For the bottom results, in Splunk, use tail. In APL, specify ordering direction by using asc.
| Product | Operator | Example |
|---|---|---|
| Splunk | head | Sample.Logs="33009.2" | sort Event.Sequence | head 20 |
| APL | top | ['sample-http-logs'] | top 20 by method |
Extend the result set with new fields or columns
Splunk has an eval function, but it's not comparable to the eval operator in APL. Both the eval operator in Splunk and the extend operator in APL support only scalar functions and arithmetic operators.
| Product | Operator | Example |
|---|---|---|
| Splunk | eval | Sample.Logs=330009.2 | eval state= if(Data.Exception = "0", "success", "error") |
| APL | extend | ['sample-http-logs'] | extend Grade = iff(req_duration_ms >= 80, "A", "B") |
Rename
APL uses the project operator to rename a field. In the project operator, a query can take advantage of any indexes that are prebuilt for a field. Splunk has a rename operator that does the same.
| Product | Operator | Example |
|---|---|---|
| Splunk | rename | Sample.Logs=330009.2 | rename Date.Exception as execption |
| APL | project | ['sample-http-logs'] | project updated_status = status |
Format results and projection
Splunk uses the table command to select which columns to include in the results. APL has a project operator that does the same and more.
| Product | Operator | Example |
|---|---|---|
| Splunk | table | Event.Rule=330009.2 | table rule, state |
| APL | project | ['sample-http-logs'] | project status, method |
Splunk uses the field - command to select which columns to exclude from the results. APL has a project-away operator that does the same.
| Product | Operator | Example |
|---|---|---|
| Splunk | fields - | Sample.Logs=330009.2` | fields - quota, hightest_seller |
| APL | project-away | ['sample-http-logs'] | project-away method, status |
Aggregation
See the list of summarize aggregations functions that are available.
| Splunk operator | Splunk example | APL operator | APL example |
|---|---|---|---|
| stats | search (Rule=120502.*) | stats count by OSEnv, Audience | summarize | ['sample-http-logs'] | summarize count() by content_type, status |
Sort
In Splunk, to sort in ascending order, you must use the reverse operator. APL also supports defining where to put nulls, either at the beginning or at the end.
| Product | Operator | Example |
|---|---|---|
| Splunk | sort | Sample.logs=120103 | sort Data.Hresult | reverse |
| APL | order by | ['sample-http-logs'] | order by status desc |
Whether you're just starting your transition or you're in the thick of it, this guide can serve as a helpful roadmap to assist you in your journey from Splunk to Axiom Processing Language.
Dive into the Axiom Processing Language, start converting your Splunk queries to APL, and explore the rich capabilities of Axiom Data Explorer. Embrace the learning curve, and remember, every complex query you master is another step forward in your data analytics journey.
Good luck and happy data exploring!