Splunk® Data Stream Processor

Function Reference

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Eval

Calculates an expression and puts the resulting value into the record as a new field.

  • If the field name that you specify does not match a field in the data stream, a new top-level field is added to your record.
  • If the field name that you specify matches a field name that already exists in the data stream, the results of the eval expression overwrite the values in that field.

You can chain multiple eval expressions in a single eval function using a semi-colon to separate subsequent expressions. The eval function processes multiple eval expressions in-order and lets you reference previously evaluated fields in subsequent expressions. See example 4 on this topic to see how to reference a previously evaluated field and how expressions are evaluated in order. This function accepts a variable number of arguments.

Function Input
collection<record<R>>
This function takes in collections of records with schema R.
Function Output
collection<record<S>>
This function outputs the same collection of records but with a different schema S.

Arguments

Argument Input Description
function collection<expression<any>> Any values and scalar functions that will be executed to determine the value to place in a new field.

Unless assigned, new values are placed into a record under the field name field0. Use the as scalar function to rename the field in which new values are placed.

UI examples

1. Change sourcetype to wineventlog: 

as("wineventlog", "sourcetype");

2. Create a new field that contains the value of host: 

as(get("host"), "User");

3. Extract metrics data from body field: 

as(extract-regex(cast(get("body"), "string"), /group=(?<group>S+),s?series="(?<series>[^"]+)",s?(?<data>.*)$/), "metrics");

4. Expressions get evaluated in order. In this example, x and y are both equal to 3: 

as(3, "x"); as(get("x"), "y");

DSL examples

1. Change sourcetype to wineventlog: 

eval(input, as("wineventlog", "sourcetype"));

2.Create a new field that contains the value of host:

eval(input, as(get("host"), "User"0);

3. Extract metrics data from body field:

eval(input, as(extract-regex(cast(get("body"), "string"), /group=(?<group>S+),s?series="(?<series>[^"]+)",s?(?<data>.*)$/), "metrics"0);

4. Expressions get evaluated in order. In this example, x and y are both equal to 3: 

eval(input, as(3, "x"); as(get("x"), "y"));
Last modified on 02 January, 2020
Drop Fields   Extract Timestamp

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters