You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/user/ppl/reference/splunk_to_ppl_cheat_sheet.md
+9-1Lines changed: 9 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -8,6 +8,7 @@ This cheat sheet helps Splunk users transition to OpenSearch's PPL. It maps comm
8
8
|--------|------------|---------------|-------|
9
9
| Query structure |`search terms \| command`|`source = index \| command`| PPL requires explicit source at the beginning |
10
10
| Index reference |`index=name*`|`source=name*`| Different command to specify data source, [PPL support refering to multiple indices](https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/general/identifiers.rst#multiple-indices)|
11
+
| Raw field | Special `_raw` field | Identify a field in your OpenSearch data that contains the text content you want to work with (often `message` or `content` fields in log data) | No default raw field |
11
12
| Time field | Special `_time` field | User-specified timestamp field | No default time field in PPL, must reference it explicitly |
12
13
13
14
@@ -155,9 +156,16 @@ This table provides a mapping between Splunk SPL commands and their OpenSearch P
155
156
| Include fields |`... \| fields field1, field2`|`... \| fields field1, field2`| Same syntax |
| Basic null replacement |`... \| fillnull value=0 field1`|`... \| fillnull with 0 in field1`| Similar syntax but uses `with...in` format |
167
+
| Multiple fields |`... \| fillnull value="N/A" field1, field2, field3`|`... \| fillnull with 'N/A' in field1, field2, field3`| Similar syntax but uses `with...in` format |
0 commit comments