Splunk® Data Stream Processor

Function Reference

DSP 1.2.1 is impacted by the CVE-2021-44228 and CVE-2021-45046 security vulnerabilities from Apache Log4j. To fix these vulnerabilities, you must upgrade to DSP 1.2.4. See Upgrade the Splunk Data Stream Processor to 1.2.4 for upgrade instructions.

On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Overview of evaluation scalar functions

Use evaluation scalar functions to evaluate an expression based on your records and return a result.

Functions that use evaluation scalar functions

You can use evaluation scalar functions with the Eval, Where, and Select streaming functions. See the following pages for more information, including examples of how evaluation scalar functions are used with these streaming functions:

You can also use evaluation scalar functions with any function that has an argument that accepts expressions. For example, the Send to a Splunk Index with Batching sink function has an index argument that accepts expression<string> values. When configuring this index argument, you can specify an expression that uses evaluation scalar functions to resolve to a string value. For example, you can specify the following expression, which uses the map_get function to extract an index value from a map called attributes, and then uses the cast function to cast the extracted value to the string data type: cast(map_get(attributes, "index"), "string")

Using evaluation scalar functions

  • All functions that accept strings can accept either a literal string or any field. 
  • All functions that accept numbers can accept either literal numbers or any numeric field.

Specifying literal strings

For most evaluation functions, when a string argument is expected you can specify either a literal string or a field. The literal string must be enclosed in double quotation marks. For example, if you have a field called name which contains the names of your servers, and you want to append the literal string server at the end of the name. You would specify this: name + "server".​

Nested functions

You can specify a function as an argument to another function.

In the following example, the cidrmatch function is used as the first argument in the if function.

... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local");

Operators

The following tables list the basic mathematical operations that you can use with the evaluation functions. For these operations to work, the values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations might not produce valid results if the values are not numerical. When concatenating values, Splunk software reads the values as strings, regardless of the value.

Arithmetic operators

Operators Action Description
+ Addition Accepts two numbers and produces a number.
- Subtraction Accepts two numbers and produces a number.
* Multiplication Accepts two numbers and produces a number.
/ Division Accepts two numbers and produces a number.
% Modulo Accepts two numbers and produces a number.

Boolean operators

Operators Action Description
AND Logical AND operator Accepts two Boolean values and produces a Boolean.
OR Logical OR operator Accepts two Boolean values and produces a Boolean.
NOT Logical NOT operator Accepts one Boolean value and produces the inverse of the value.
XOR Exclusive OR operator Accepts two Boolean values and produces a Boolean.
IS NULL NULL operator Accepts a value and returns TRUE if the field value is NULL.
IS NOT NULL NULL operator Accepts a value and returns TRUE if the field value is not NULL.
< Less than Accepts two numbers and produces a Boolean.
> Greater than Accepts two numbers and produces a Boolean.
<= Less than or equal to Accepts two numbers or two strings and produces a Boolean.
>= Greater than or equal to Accepts two numbers and produces a Boolean.
!= Not equal to Accepts two numbers or two strings and produces a Boolean.
= or == Equal to In expressions, the = and == operators are synonymous. These operators compare the value of right side and left side of the expression. Returns 1 (true) if the sides are equal. Returns 0 (false) if the sides are not equal.
LIKE Text pattern matching operator Accepts two strings. For example string LIKE pattern. The pattern operator supports literal text, a percent ( % ) character for a wildcard, and an underscore ( _ ) character for a single character match.

For example, field LIKE "a%b_" matches any string starting with a, followed by anything, followed by b, followed by one character.

IN Matching operator Accepts a value and a list, and checks whether the value is in the list. The list can either be a list literal or a field containing a list. For example string IN (1, 2, 3) or string IN (list_field). Returns a Boolean.
Last modified on 08 April, 2022
Send data to null   Casting

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters