Splunk® Data Stream Processor

Function Reference

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Conversion

The following scalar functions convert a value of a given data type into another data type.

base64_encode

Converts a byte array value to a Base64-encoded string. It returns null if the value is null or if the conversion fails.

Function Input
bytes
Function Output
string

1. DSL example

base64_encode(to_bytes("hello"));


2. DSL example

Extracts the value in RecordNumber, hashes the value, and returns the value in new field HashedRecordNumber as hashed_record_number=<hashedRecordNumber>

as(
    concat(
        literal("hashed_record_number="),
        base64_encode(md5(to_bytes(get("RecordNumber"))))
        ),
"HashedRecordNumber");

base64_decode

Converts a Base64-encoded string to bytes. It returns null if the value is null or if the conversion fails.

Function Input
string
Function Output
bytes

DSL example

base64_decode("aGVsbG8="));

tostring

Converts the input value to a string. If the input type is a number, it reformats it according to the format string. If the input value is a Boolean value, it returns the corresponding string value, "True" or "False".

Function Input
value
(Optional) format, only valid when value is a number.
Function Output
string

The tostring function supports an optional second argument of one of the following options: "hex", "commas", or "duration".

Examples Description
tostring(X,"hex") Converts X to hexadecimal.
tostring(X,"commas") Formats X with commas. If the number includes decimals, the function rounds to nearest two decimal places.
tostring(X,"duration") Converts seconds X to the readable time format HH:MM:SS.

1. DSL example

Returns "1000".

tostring(1000);

2. DSL example

Returns "0xF".

tostring(15, "hex");

to_string

Converts a byte array value to a UTF-8 encoded string. It returns null if the value is null or the conversion fails.

Function Input
bytes
Function Output
string

DSL example

to_string(get("body"));

gzip

Returns Gzipped-compressed bytes. It returns null if the Byte array is null or the zip fails.

Function Input
bytes
Function Output
bytes (containing gzipped bytes)

DSL example

gzip(get("body"));    

gunzip

Decompresses a GZipped byte array. It returns null if the byte array is null or the gunzip fails.

Function Input
bytes
Function Output
bytes

DSL example

gunzip(get("body"));

deserialize_json_object

Converts a JSON byte string into a map.

Function Input
bytes
Function Output
map<string, any>

DSL example

deserialized-events = eval(events, as(deserialize_json_object(get("json_string")), "value"));

from_json_array

Converts a JSON string into an array of the JSON structure, including nested keys.

Function Input
JSON character string
Function Output
collection<any>

DSL example

events = read_splunk_firehose();
json-events = eval(events, as(from_json_array(get("json_string"), "json_map"));
write_null(json-events);

from_json_object

Converts a JSON string into a map of the JSON structure, including nested keys.

Function Input
JSON character string
Function Output
map<string, any>

DSL example

events = read_splunk_firehose();
json-events = eval(events, as(from_json_object(get("json_string"), "json_map"));
write_null(json-events);

inet_aton

Converts a string IPv4 or IPv6 IP address and returns the address as type Long. Because IPv6 IP addresses are 128-bits, the return value is the lower 64-bits stored as type Long.

Function Input
string
Function Output
long

DSL example

Returns 2130706433L.

inet_aton("127.0.0.1")

inet_ntoa

Converts a decimal IP address to dotted-decimal form.

Function Input
long
Function Output
string

DSL example

Returns 127.0.0.1.

inet_ntoa(2130706433L);

parse_bool

Parses a string as a boolean. Returns TRUE when the string is case-insensitive equal to "true". Returns FALSE when the string is case-insensitive equal to "false". Returns null on failure.

Function Input
string
Function Output
boolean

DSL example

Returns true.

parse_bool("True");

parse_double

Parses a string and returns the numeric value as a Double. Returns null if the value is null or is not a valid Double.

Function Input
string
Function Output
double

DSL example

Returns 1.5 as type double.

parse_double("1.5");

parse_float

Parses a string and returns the numeric value as a Float. Returns null if the value is null or is not a valid Float.

Function Input
string
Function Output
float

DSL example

Returns 3.1415 as a float.

parse_float("3.1415");

parse_int

Parses a string as an integer. Returns null if the value is null or is not a valid integer.

Function Input
string
Function Output
int

DSL example

Returns 45 as an int.

parse_int("45");

parse_long

Parses a string and returns the numeric value as Long. Returns null if the value is null or is not a valid Long.

Function Input
string
Function Output
long

DSL example

Returns 45 as a long.

parse_long("45");

serialize_json

Converts the current record into a JSON byte string.

Function Input
null
Function Output
bytes

DSL example

serialize_json();

serialize_json

Converts a map of a JSON structure into a JSON byte array.

Function Input
map<string, any>
Function Output
bytes

DSL example

serialize_json(create_map("foo", "bar"));

to_bytes

Converts a string to a byte string.

Function Input
string
Function Output
bytes

DSL example

to_bytes("somestring");

to_bytes

Converts a string with a character encoding you specify to a byte string.

Function Input
input: string
encoding: string
Function Output
bytes

DSL example

to_bytes("somestring", "UTF-8");

to_json

Converts a map of a JSON object's structure to a JSON string.

Function Input
map<string, any>
Function Output
string

DSL example

to_json(create_map("foo", "bar"));
Last modified on 02 January, 2020
Conditional   Cryptographic

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters