Related Answers
On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
Filter
Keep events that pass a Boolean function. This function only takes scalar functions that output Boolean.
- Function Input
collection<record<R>>- This function takes in collections of records with schema R.
- Function Output
collection<record<R>>- This function outputs collections of records with schema R.
Arguments
| Argument | Input | Description | UI example |
|---|---|---|---|
| predicate | expression<boolean> | A boolean expression, where the expression returns either true or false. | not(eq(map-get(get("attributes"),"0"), "true"));
|
DSL examples
Filter for events that occur past a specific timestamp
gt(get("timestamp"), 1546329600L);
Filters out events that are null in the _value field
not(eq(get("_value"), null));
Filters for events with vmstat sourcetype:
eq(get("source_type"), "vmstat");
Filters for events with either syslog sourcetype or vmstat sourcetypes
or(
eq(get("source_type"), "syslog"),
eq(get("source_type"), "vmstat")
);
Use the like comparison operator similar to a wildcard:
Returns only records where the source_type field begins with "cisco".
like(get("source_type"), "cisco%");
Filter on a custom attribute:
Returns only records where the attributes field contains "somekey: "someval".
eq(map_get(get("attributes"), "somekey"), "someval")
Last modified on 28 February, 2020
|
PREVIOUS Fields |
NEXT For Each (map) |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.0.1
Feedback submitted, thanks!