On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.
data types
The is strongly and implicitly typed. This means that in order to satisfy the type checker, sometimes data needs to be converted or cast to different types. Use the information on this page to learn about the supported data types and as a reference on how to successfully convert the data types of your fields. Data type conversions are essential for ensuring that your function arguments are processed correctly, and that your data is sent in a format recognized by your data destination.
Basic data types
The following table describes the basic data types that the supports. In addition, this table also includes an example of a value that you might expect to see if the field is typed to the specified basic data type. In addition, when previewing data, the UI shows a type icon that represents the data type of the field.
| Basic data types | Description | Data type UI symbol | Example |
|---|---|---|---|
| integer | A 32-bit whole number. | # | 10 |
| long | A 64-bit whole number. A whole number is of type long if it ends with the letter L; otherwise it is of type integer. | # | 2147483649L |
| float | A 32-bit floating-point number that can also store fractional numbers. A fractional number is of type float if it ends with the letter F; otherwise it is of type integer. Floats can store 6 to 7 decimal digits. | # | 10.327000F |
| double | A 64-bit floating-point number that can also store fractional numbers. A fractional number is of type double if it ends with the letter D; otherwise it is of type integer. Doubles can store up to 15 decimal digits. | # | 4244.546000D |
| string | A sequence of characters. Strings should be enclosed with double quotation marks. | a | "Hello, World" |
| regex | A regular expression that matches patterns of characters. Regular expressions in the use Java 8. See About regular expressions. Regular expressions must be enclosed with the / character.
|
No icon | /^[a-z][a-z0-9_]*/ |
| bytes | A byte buffer that can contain values of any data type.
|
B | A bytes field can contain the value hello world.
|
| boolean | A data type with only two possible values, either true or false. | 
|
True |
| null | A special type for "empty". There is only one possible value, which can be written in two ways: NULL or null.
|
No icon | To set a field to NULL, use the Eval or Select functions:
... | eval field_name=NULL |...; ... | select NULL AS field_name, timestamp, host, source, source_type, body, attributes | ...; |
Complex data types
The following table describes complex data types that the supports. In addition, this table also includes an example of a value that you might expect to see if the field is typed to the specified complex data type. In addition, when previewing data, the UI shows a type icon that represents the data type of the field.
| Complex data types | Description | Data type UI symbol | Example |
|---|---|---|---|
| collection | A list of elements that share the same data type. | [] | A collection, or list, of integers: [1,2,3,4,5,6,7,8,9]. |
| map | A field containing one or more key-value pairs. | {} | {"name": "Henry Li", "age": 37} |
| union | A data type that can be any of the types in the union. Union data types include more than one type. For example, the data type of the body field is a union of all basic and complex data types. | 
|
The body field in events or metric events which is a union type of all types. |
Casting between data types
You can change between data types by using the cast and ucast functions. These functions convert the data type in the first column to the data type in the top row, with the following behavior:
| From / To | integer | long | float | double | string | bytes | boolean |
|---|---|---|---|---|---|---|---|
| integer | - | Succeeds | Succeeds | Succeeds | Succeeds | Fails | Fails |
| long | Succeeds1 | - | Succeeds | Succeeds | Succeeds | Fails | Fails |
| float | Succeeds2 | Succeeds2 | - | Succeeds | Succeeds | Fails | Fails |
| double | Succeeds3 | Succeeds4 | Succeeds5 | - | Succeeds | Fails | Fails |
| string | Succeeds6 | Succeeds6 | Succeeds6 | Succeeds6 | - | Fails | Fails |
| bytes | Fails | Fails | Fails | Fails | Fails | - | Fails |
| boolean | Fails | Fails | Fails | Fails | Succeeds | Fails | - |
Data type pairs in yellow cast but can produce unexpected results.
- Casting from a Long to Integer is supported, but the resulting value will overflow or underflow if your value is greater or less than +/-2147483647.
- Casting from a Float to an Integer or Long is supported, but decimal points will be dropped. Also, casting from a floating-point number to an Integer or Long results in the maximum or minimum value for the target type if the real value is too large.
- Casting from a Double to an Integer is supported, but the resulting value will overflow or underflow if your value is greater or less than +/-2147483647.
- Casting from a Double to a Long is supported, but the resulting value will overflow or underflow if your value is less than -9,223,372,036,854,775,808 or greater than 9,223,372,036,854,775,807.
- Casting from a Double to a Float will produce +/- infinity if the value is too large. In addition, precision might be lost.
- Casting from a String to a numeric type returns NULL if the value is not a numeric type.
Casting a union data type
Union data types include more than one type. Before you can use a union value as an argument in a function, you must first cast it to a specific type.
A union type can be cast to any of its contained types.
If the runtime data type of the field in the union type doesn't support a specific type-cast, the value is set to NULL.
For example, if a union type contains types (Long, Bytes) and is used in the LessThan expression:unionField < 50, then the following occurs:
- When the field contains a Long, the value is used as a Long and Less Than will work as expected.
- When the field contains Bytes, the value cannot be cast to Long, so it will be cast to NULL, and LessThan will also return NULL.
| SPL2 in the | About regular expressions |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6
Download manual
Feedback submitted, thanks!