On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor.
For documentation on the most recent version, go to the latest release.
Filter
Keep events that pass a Boolean function. This function only takes scalar functions that output Boolean.
- Function Input
collection<record<R>>- This function takes in collections of records with schema R.
- Function Output
collection<record<R>>- This function outputs collections of records with schema R.
Arguments
| Argument | Input | Description | UI example |
|---|---|---|---|
| predicate | expression<boolean> | A boolean expression, where the expression returns either true or false. | not(eq(map-get(get("attributes"),"0"), "true"));
|
DSL examples
1. Filter for events that occur past a specific timestamp:
gt(get("timestamp"), 1546329600L);
2. Filters out events that are null in the _value field:
not(eq(get("_value"), null));
3. Filters for events with vmstat sourcetype:
eq(get("source_type"), "vmstat");
4. Filters for events with either syslog sourcetype or vmstat sourcetypes:
or(
eq(get("source_type"), "syslog"),
eq(get("source_type"), "vmstat")
);
5. Use the like comparison operator similar to a wildcard:
Returns only records where the source_type field begins with "cisco".
like(get("source_type"), "cisco%");
Last modified on 17 December, 2019
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0
Download manual
Feedback submitted, thanks!