reducepy

reducepy

This command is experimental and not currently supported by Splunk.

Synopsis

Similar to Python's reduce function over all the search results.

Syntax

reducepy <python code:init> loop <python code:looping code> [by <field-list>]

Required arguments

init

Syntax: <init code>

Description: Specify initialization code to run.

loop

Syntax: loop <looping code>

Description: Specify the looping to apply over each search result.

Optional arguments

by clause

Syntax: by <field-list>

Description: Returns search results unique to the values of the specified field(s).

Description

Similar to Python's reduce function, applying looping code over each search result. Runs the initialization code, and then for each search result runs the looping code. The output is a search result with the final values of all the variables defined. If there is a by-clause, each unique set of field values has it's own local variable space and outputs its own search result with the final values of all the variables defined.

There is an internal 'count' variable keeping track of the number of results. Includes convenient packages for most common operations, such as re, sys, math, random, datetime, time, xml, lxml, StringIO, lxml.etree, platform, hashlib, difflib, base64, xml.sax.saxutils, etree. Does not allow Python expressions containing "open", "write", "read", or "import".

Examples

Example 1: Returns a search result for each unique source with a 'sum' field of the sum of all _times.

Example 2: Returns a search result for each unique source and host with an 'rsum' field of the sum of ratios of _times to the current time.

See also

extract, iconify, mappy, rex, xmlkv, xmlunescape, xpath

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the reducepy command.

• Was this topic useful?
• Post a comment