Splunk® Data Stream Processor

DSP Function Reference

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

String manipulation

concat

Combines string values. This function accepts a variable number of arguments.

Function Input
collection<string>
Function Output
string

DSL example

Returns Jane A Smith. 

concat("Jane", " ", "A", " ", "Smith");

Prepends "asa_" to the value of "source_type". 

concat("asa_", get("source_type"));

extract_grok

Extracts matching groups with a Grok-compatible pattern and returns a map of group names to matching groups when the pattern is matched against the input. It returns null if the input is null or the pattern is invalid.

Function Input
input: string
pattern: string
Function Output
map<string, string>

DSL example

Returns "IPV4": "10.10.10.10". 

extract_grok("FOO 10.10.10.10 BAR", "%{IPV4}");

extract_key_value

Extracts the key-value pairs and returns a map of the key-value pairs. The keys and values are separated with a key value delimiter, and pairs are separated with a pair delimiter. It returns null if the input is null or the key value delimiter is null or empty.

Function Input
input: string
key-value-delimiter: string
pair-delimiter: string
Function Output
map<string, string>

DSL example

extract_key_value("key1=value1;key2=value2;key3=value3", "=", ";");

extract_regex

Extracts capturing groups from inputs with regular expressions and returns a map of all extracted, matched fields in the format: {"capture_group_1": "matching_expression_1", "capture_group_N":"matching_expression_N"}. If you do not name the capturing group, the group names are returned as "1", "2", "3", "N", etc. For example, extract_regex with the regex (?<host>[^\.]+) returns a map with the key host whose value is the value of the extracted capture group. For a non-named capture group, extract_regex with the regex ([^\.]+) will return a map with key 1 whose value is the value of the extracted capture group. To name your capturing group, start your regular expression pattern with ?<capturing-group-name>, as shown in the DSL examples. Use this function if you want your extracted data to be nested in a single field.

For general information on regular expressions, see About Splunk Data Stream Processor regular expressions in the DSP User Manual.

Function Input
first: string
pattern: regex
Function Output
map<string, string>

1. DSL example

Extracts ASA-x-xxxxxx values from the body field using a named capturing group. 

extract_regex(cast(get("body"), "string"), /(?<ASA>ASA-\d-\d{6})/i);

2. DSL example

Change FQDN hostname to a short hostname using a named capturing group. 

as(
  map_get( 
   extract_regex(
    get("host"), /^(?<host>[^\.]+)\./
   ), "host"
  ), "host"
);

len

Returns the character length of a string X.

Function Input
string
Function Output
integer

DSL example

Returns character length of the value in the "source" field. 

len(get("source"));

lower

Converts a string to lowercase.

Function Input
string
Function Output
string

DSL example

Returns hello. 

lower("HELLO");

ltrim

Takes two arguments X and Y and returns X with the characters in Y trimmed from the left side. Use this scalar function with the eval or the filter streaming functions.

Function Input
str: string
strip-chars: string
Function Output
string

DSL example

Returns "abczz ". 

ltrim(" ZZZZabcZZ ", " Z");

ltrim

Takes an argument X and returns X with whitespaces removed from the left side. Use this scalar function with the eval or the filter streaming functions.

Function Input
string
Function Output
string

DSL example

Returns "abc ". 

ltrim(" abc ");

match_regex

Matches inputs against regular expressions and returns true if the pattern matches against the input, otherwise it returns False. For general information on regular expressions, see About Splunk Data Stream Processor regular expressions in the DSP User Manual.

Function Input
input: string
pattern: pattern
Function Output
boolean

DSL example

match_regex(get("body"), /%ASA-d-d{6}/i);

match_wildcard

Matches inputs against a pattern with wildcards. Returns true on a successful match, otherwise it returns false.

Function Input
input: string
pattern: string
Function Output
boolean

DSL example

Returns true when SSN:* is in the body field. 

match_wildcard(get("body"), "SSN:*");

punct

Extracts punctuation from a string.

Function Input
input: string
Function Output
string

DSL example

Extracts all punctuation from the field id into a new custom field key. 

as(punct(get("id")), "key");

replace

Replaces a string using a regular expression. Use this scalar function with the eval or the filter streaming functions. For general information on regular expressions, see About Splunk Data Stream Processor regular expressions in the DSP User Manual.

Function Input
input: string
pattern: pattern
rep: string
Function Output
string

DSL example

Returns the "body" field with phone numbers redacted. 

as(replace(cast(get("body"), "string"), /[0-9]{3}[-.][0-9]{3}[-.][0-9]{4}/, "<redacted>"), "body");

rtrim

Takes two arguments X and Y and returns X with the characters in Y trimmed from the right side. Use this scalar function with the eval or the filter streaming functions.

Function Input
str: string
strip-chars: string
Function Output
string

DSL example

Returns " ZZZZabc". 

rtrim(" ZZZZabcZZ", " Z");

rtrim

Takes an argument X and returns X with whitespaces removed from the right side. Use this scalar function with the eval or the filter streaming functions.

Function Input
string
Function Output
string

DSL example

Returns " abc". 

rtrim(" abc ");

spath

This function extracts a value from a map or collection. Use this function to extract a value from a nested map or collection. To extract a value from a JSON string, convert your JSON string to a map. See the from_json_object scalar function and the DSL example below.

For more information on the syntax of the path argument, see the path syntax in the Splunk Enterprise documentation.

The Data Stream Processor spath function does not have an auto-extract mode and does not accept JSON or XML strings.

Function Input
input: union<collection<any>, map<string,any>>
path: string
Function Output
union<string, bytes, boolean, integer, long, float, double, collection<any>, map<string,any>>

DSL example

Returns baz. 

spath(from_json_object("{\"foo\": [{\"bar\": \"baz\"}]}"), "foo{0}.bar");

substring

This function takes two arguments X and Y where X is a string and Y is a numeric. This function returns a substring of X, starting at the index specified by Y.

Function Input
str: string
start: integer
Function Output
string

DSL example

Returns "bar". 

substr("foobar", 4);

substring

This function takes three arguments. The required arguments are X, a string, and Y, a numeric. This function also takes an optional argument Z, also a numeric. This function returns a substring of X, starting at the index specified by Y with the number of characters specified by Z.

Function Input
str: string
start: integer
length: integer
Function Output
string

DSL example

Returns "foo". 

substr("foobar", 1,3 );

trim

Takes two arguments X and Y and returns X with the characters in Y trimmed from both sides. Use this scalar function with the eval or the filter streaming functions.

Function Input
str: string
strip-chars: string
Function Output
string

DSL example

Returns abc. 

trim(" ZZZZabcZZ ", " Z");

trim

Takes an argument X and returns X with whitespaces removed from both sides. Use this scalar function with the eval or the filter streaming functions.

Function Input
string
Function Output
string

DSL example

Returns abc. 

trim(" abc ");

upper

Converts a string to uppercase.

Function Input
string
Function Output
string

DSL example

Returns HELLO. 

upper("hello");

url_decode

Takes a URL string and returns the unescaped or decoded URL string.

Function Input
string
Function Output
string

DSL example

Returns http://www.splunk.com/download?r=header. 

url_decode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader");

url_encode

Encodes a string for the query string parameters in a URL. Use this function when you want to include user-supplied string data in a URL.

Function Input
string
Function Output
string

DSL example

Returns Jane+A+Smith. 

url_encode("Jane A Smith");
Last modified on 06 December, 2019
Multivalue  

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters