Splunk® Cloud Services

SPL2 Search Reference

Built-in data types

SPL2 supports a set of built-in data types, such as strings, numbers, Booleans, arrays, objects, timespans, relative times, and datasets. All of these data types have corresponding literal syntax that you can use to represent constants in SPL expressions. See Types of expressions in the SPL2 Search Manual.

In addition, SPL2 also supports user-defined custom data types. See Custom data types.

Quick reference for SPL2 built-in data types

The following table describes and shows examples of the built-in SPL2 data types:

Type name Description Examples
any The default data type used when a data type isn't specified. Means that any data type is allowed. "firstname", false, 1776, -1d, 450925.123, {name:"Ticket to Ride", type:"competitive"}
array An ordered collection of values. The values in the array can be a mixture of data types. ["buttercup", "fluttershy", 3.15]
boolean A Boolean value of true or false. The value must be lowercase. true
dataset A collection of data that you either want to search or that contains the results from a search. main

[{day: "sun", temp: 65}, {day: "mon", temp: 42}, {day: "tue", temp: 40}, {day: "wed", temp: 31}, {day: "thu", temp: 47}, {day: "fri", temp: 53}, {day: "sat", temp: 64}]

double A double floating-point number. If the number is an integer, you must include the D suffix. 56.11D


1.2e-3D

float A floating-point number. Must include the F suffix. 3.14F


-1.2e5F

int An integer number. 365

-32

log_span A logarithm-based span value. 2log10
long A long integer number. Must include the L suffix. 1500000000000L
object An SPL2 structured object. {name:"Settlers of Catan", type:"competitive"}
regex A regular expression. /^[a-z][a-z0-9_]*/
relative_time A relative time value. See Specifying relative time in the SPL2 Search Manual. -10h@h


earliest=-5m

string A string value. "surname"


"198.51.100.255"

"Number of bytes"

timespan A time span. See Specifying time spans in the SPL2 Search Manual. 10m


1h


The following sections describe each of these data types in more detail.

any

The default data type that is used when a data type is not specified.

Any supported data type is allowed.

array

An array is an ordered collection of values. The values in the array can be a mixture of data types. There is no option to specify that an array contains homogeneous array types, which are arrays where all of the values must be the same type.

The format of an SPL array is similar to a JSON array:

  • The array must be enclosed in square brackets [ ].
  • If the array contains objects, each object in the array must be enclosed in curly braces { }.
  • Separate each object with a comma, except for the last object.
  • Separate each set of key-value pairs in an object with a comma, except for the last key-value pair.

For more information about objects, see the object data type.

You can use expressions and constants for the values of SPL2 arrays.

Here are some array examples:

Types of values Examples
String values ["Settlers of Catan","Terraforming Mars","Ticket to Ride"]
Objects [{ name: "Tower Bridge", length: 801 }, { name: "Millennium Bridge", length: 1066 }]
Expressions [a+2, b-4]

For examples of the types of expressions you can use, see Types of expressions in the SPL2 Search Manual

boolean

In SPL2, a Boolean value is expressed using a lowercase Boolean literal:

  • true
  • false

Uppercase, mixed case, and numeric equivalents ( 0 | 1 ) aren't valid.

dataset

A collection of data that you either want to search or that contains the results from a search.

A dataset literal is an array of objects that you type into your search criteria, instead of specifying a dataset name. You can use a dataset literal anywhere you can specify a dataset name.

For more information about datasets, see the following topics in the SPL2 Search Manual:

double

A double data type is a signed 8-byte (64-bit) precision floating-point number. If the number is an integer, the D suffix is required.

To specify a double number in SPL2, use the D suffix. For example:

… | eval x = 1.23D

In this example, the eval command sets the value of x to a double value of 1.23.

Here are some examples of double floating-point numbers:

  • 67D
  • .345 or .345D
  • 12.3 or 12.3D
  • -1.2e4 or -1.2E4D
  • 5.6e-2 or 5.6e-2D
  • 5.6E-2 or 5.6e-2

SPL2 accepts double floating-point numbers expressed as exponents using either an uppercase E or lowercase e.

float

A float data type is a signed 4-byte (32-bit) precision floating-point number. You must include the F suffix.

To specify a float number in SPL2, use the F suffix. For example:

… | eval x = 1.23F

In this example, the eval command sets the value of x to a float value of 1.23.

Here are some examples of floating-point numbers:

  • .345F
  • 12.3F
  • -1.2e4F
  • 5.6e-2F
  • 12E7F

SPL2 accepts floating-point numbers expressed as exponents using either an uppercase E or lowercase e.

int

An integer data type is a positive or negative whole number. Integers don't include fractions.

Here are some integer examples:

  • 10
  • -32000
  • 1976

log-span

A logarithm-based span that consists of a coefficient and a base. The first number is the coefficient. The second number is the base.

  • The coefficient is optional. If supplied, the coefficient must be a real number greater than or equal to 1.0 and less than the base.
  • The base is optional. If supplied, the base must be a real number greater than 1.

Here are some log-span examples:

  • 2log10
  • 7log12

long

A long data type is a signed 8-byte (64-bit) integer number. You must include the L suffix.

To specify a long number in SPL2, use the L suffix. For example:

… | eval x = 2147483647L

In this example, the eval command sets the value of x to a long value of 2147483647.

Here are some examples of long numbers:

  • -9,223,372,036,854,775,808L
  • 9,223,372,036,854,775,807L

object

Some SPL2 commands and functions accept or return objects. The format of a SPL2 object is similar to a JSON object, with the exception of field names:

  • The object must be enclosed in curly brackets { }.
  • In a list of field-value pairs, separate each field-value pair with a comma.
  • For each field-value pair, separate the field from the value with a colon.
  • Field names that contain characters a-z, A-Z, 0-9, or the underscore ( _ ) character don't need to be quoted. Field names that contain any other characters must be enclosed in either single or double quotation marks. A SPL object literal is a convenient way to create JSON objects. To be JSON compatible, field names are stored internally with double quotation marks.
  • Field values must be valid SPL2 data types such as string, integer, object, array, or Boolean.
  • Field values that are strings must be enclosed in double quotation marks.

Here are some SPL2 object examples:

  • {name:"Golden Gate Bridge", length:8981, year_built:1933}
  • {type: "competitive", 'game-name': "Ticket to Ride"}

regex

A regular expression that matches patterns of characters. Splunk regular expressions are Perl Compatible Regular Expressions (PCRE) and use the PCRE C library. See About Splunk regular expressions in the SPL2 Search Manual.

Here are some examples of regular expressions:

  • "(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"
  • "^([a-z0-9_\.-]+)@([\da-z\.-]+)\.([a-z\.]{2,6})$"

relative_time

Relative time is time that is based on the current time, such as last 5 minutes and last hour.

You define relative time in your search by using time modifiers along with a time amount integer and unit. In addition, you can specify a "snap-to" time which takes the relative time and rounds down to the start of the time unit.

For more information about relative time, see Specifying relative time in the SPL2 Search Manual.

Here are some relative time examples:

  • -5m
  • -1h
  • -3h@h
  • -1d@d
  • @d+12h

string

In SPL2, every string must be enclosed in double quotation marks.

If the string itself contains a double quote, that double quote must be escaped, using a backslash ( \ ). For example, \".

If the string includes a backslash, the backslash must be escaped also. For example, \\.

Here are some string examples:

String SPL 2 string literal
Hello "Hello"
Hello World "Hello World"
Maria said "Hello World" "Maria said \"Hello World\""
C:\Windows\System32 "C:\\Windows\\System32"
Edge \"Case "Edge \\\"Case"


timespan

Time spans are used to organize search results by time increments. Some SPL2 commands include an argument where you can specify a time span.

A time span can contain two elements, a time unit and timescale:

  • A time unit is an integer that designates the amount of time, such as 5 or 30.
  • A timescale is a word or abbreviation that designates the time interval, such as seconds, minutes, or hours.

When you specify a time span, the timescale is required. If you don't specify a time unit, 1 is used as the default time unit. For example, if you specify min, 1 minute is used.

For more information about time spans, see Specifying time spans in the SPL2 Search Manual.

Here are some time span examples:

  • 15s
  • 3m
  • h
  • 2mon
  • 1qtr

See also

Related information
Understanding SPL2 syntax
Last modified on 23 October, 2024
Documenting custom functions   Custom data types

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters