On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor.
For documentation on the most recent version, go to the latest release.
Merge Events
Parses data received from a universal forwarder into a stream of complete events for a Splunk Index. The universal forwarder does not parse incoming data, so you must use this function if you are using a universal forwarder. You must use merge_events in conjunction with break_events
- Function Input
group<record<K>, record<V>- This function inputs a group of records with a given schema, K.
- Function Output
collection<record<R>>- This function outputs a collection of records with a different schema S.
Arguments
| Argument | Input | Description | Example |
|---|---|---|---|
| content | expression<string> | An expression to get the contents of the field to be broken. | cast(get("body"), "string");
|
| output | string | Optional. The name of the output field in the new event (defaults to body if it is not specified). | body
|
| delimiter | regex | A regex delimiter used to break events. | (\\n)[0-9]{4}-[0-9]{2}-[0-9]{2} |
| max event size | long | Specifies the maximum event size, in bytes, of an event. Defaults to 1MB. Size cannot exceed 1MB. | 1000000 |
Full DSL example
This example breaks events using a newline delimiter and merges them together:
merge-events(grouped-events, cast(get("body"), "string"), "body", /\n/);
Last modified on 31 October, 2019
| Group | Mvexpand |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.0.0
Download manual
Feedback submitted, thanks!