Splunk® Data Stream Processor

DSP Function Reference

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Conditional

Cidrmatch("X",Y)

Returns TRUE or FALSE based on whether an IPv4 address matches an IPv4 CIDR notation. Use this function to determine if an IPv4 address belongs to a particular subnet. This function returns TRUE, when IP address Y belongs to a particular subnet X. Both X and Y are string arguments. X is the CIDR subnet. Y is the IP address to match with the subnet. IPv6 is not supported.

Function Input
cidr-range: String
ip: String
Function Output
String

1. DSL example

Returns true when the ip field (string) is set to 10.234.0.10.

cidrmatch("10.0.0.0/8", get("ip"));

2. DSL example

Returns true.

cidrmatch("10.0.0.0/8", "10.234.0.10");

3. DSL example

Returns false when the ip field (string) is set to 192.168.100.1.

cidrmatch("10.0.0.0/8", get("ip"));

4. DSL example

Returns false.

cidrmatch("10.0.0.0/8", "192.168.100.1");

Coalesce(X,...)

This function takes a variable number of arguments and returns the first value that is not NULL.

Function Input
type: collection<R>
Function Output
R

DSL example

Returns john.

eq(coalesce(null, "john", "jane"), "john"));

In(FIELD, VALUE-LIST)

This function returns TRUE if one of the values in the list matches a value in the field you specify. This function also accepts map and list arguments, as shown in the DSL example below. This function accepts a variable number of arguments. Use this scalar function with the eval or the filter streaming functions.

Function Input
value: any
test-values: collection<any>
Function Output
boolean

DSL example

Returns TRUE if one of the values in the status_code field matches one of the values in the list.

in(get("status_code"), "400", "401", "403", "404");

Like(TEXT, PATTERN)

This function takes two arguments, a string to match TEXT and a string expression to match PATTERN. It returns TRUE if, and only if, TEXT matches PATTERN. Use this scalar function with the eval or the filter streaming functions.

Function Input
input: string
pattern: string
Function Output
boolean

DSL example

Returns TRUE if the source field value ends with health.log.

like(get("source"), "%health.log")

Null if equal (X,Y)

Compare two fields, X and Y, and returns NULL if X = Y. Use this scalar function with the eval or the filter streaming functions.

Function Input
left: T
right: any
Function Output
T

DSL example

Returns null.

nullif(10, 10);

Validate(X,Y,...)

This function takes pairs of arguments, Boolean expressions X and strings Y. The function returns the string Y corresponding to the first expression X that evaluates to FALSE. If all evaluate to TRUE, this function returns NULL. Use this scalar function with the eval or the filter streaming functions.

Function Input
tests-and-values: collection<union<boolean, string>>
Function Output
string

DSL example

Returns baz.

validate(eq(10,10), literal("foo"), eq(10,10), literal("bar"), eq(10,1), literal("baz"));
Last modified on 31 October, 2019
Comparison   Conversion

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters