Related Answers
Download topic as PDF
String manipulation
concat
Combines string values. This function accepts a variable number of arguments.
- Function Input
- collection<string>
- Function Output
- string
DSL example
Returns Jane A Smith.
concat("Jane", " ", "A", " ", "Smith");
Prepends "asa_" to the value of "source_type".
concat("asa_", get("source_type"));
extract_grok
Extracts matching groups with a Grok-compatible pattern and returns a map of group names to matching groups when the pattern is matched against the input. It returns null if the input is null or the pattern is invalid.
- Function Input
- input: string
- pattern: string
- Function Output
- map<string, string>
DSL example
Returns "IPV4": "10.10.10.10".
extract_grok("FOO 10.10.10.10 BAR", "%{IPV4}");
extract_key_value
Extracts the key-value pairs and returns a map of the key-value pairs. The keys and values are separated with a key value delimiter, and pairs are separated with a pair delimiter. It returns null if the input is null or the key value delimiter is null or empty.
- Function Input
- input: string
- key-value-delimiter: string
- pair-delimiter: string
- Function Output
- map<string, string>
DSL example
extract_key_value("key1=value1;key2=value2;key3=value3", "=", ";");
extract_regex
Extracts capturing groups from inputs with regular expressions and returns a map of all extracted, matched fields in the format: {"capture_group_1": "matching_expression_1", "capture_group_N":"matching_expression_N"}. If you do not name the capturing group, the group names are returned as "1", "2", "3", "N", etc. For example, extract_regex with the regex (?<host>[^\.]+) returns a map with the key host whose value is the value of the extracted capture group. For a non-named capture group, extract_regex with the regex ([^\.]+) will return a map with key 1 whose value is the value of the extracted capture group.
To name your capturing group, start your regular expression pattern with ?<capturing-group-name>, as shown in the DSL examples. Use this function if you want your extracted data to be nested in a single field.
- Function Input
- first: string
- pattern: regex
- Function Output
- map<string, string>
1. DSL example
Extracts ASA-x-xxxxxx values from the body field using a named capturing group.
extract_regex(cast(get("body"), "string"), /(?<ASA>ASA-\d-\d{6})/i);
2. DSL example
Change FQDN hostname to a short hostname using a named capturing group.
as(
map_get(
extract_regex(
get("host"), /^(?<host>[^\.]+)\./
), "host"
), "host"
);
len
Returns the character length of a string X.
- Function Input
- string
- Function Output
- integer
DSL example
Returns character length of the value in the "source" field.
len(get("source"));
lower
Converts a string to lowercase.
- Function Input
- string
- Function Output
- string
DSL example
Returns hello.
lower("HELLO");
ltrim
Takes two arguments X and Y and returns X with the characters in Y trimmed from the left side. Use this scalar function with the eval or the filter streaming functions.
- Function Input
- str: string
- strip-chars: string
- Function Output
- string
DSL example
Returns "abczz ".
ltrim(" ZZZZabcZZ ", " Z");
ltrim
Takes an argument X and returns X with whitespaces removed from the left side. Use this scalar function with the eval or the filter streaming functions.
- Function Input
- string
- Function Output
- string
DSL example
Returns "abc ".
ltrim(" abc ");
match_regex
Matches inputs against regular expressions and returns true if the pattern matches against the input, otherwise it returns False.
- Function Input
- input: string
- pattern: pattern
- Function Output
- boolean
DSL example
match_regex(get("body"), /%ASA-d-d{6}/i);
match_wildcard
Matches inputs against a pattern with wildcards. Returns true on a successful match, otherwise it returns false.
- Function Input
- input: string
- pattern: string
- Function Output
- boolean
DSL example
Returns true when SSN:* is in the body field.
match_wildcard(get("body"), "SSN:*");
replace
Replaces a string using a regular expression. Use this scalar function with the eval or the filter streaming functions.
- Function Input
- input: string
- pattern: pattern
- rep: string
- Function Output
- string
DSL example
Returns the "body" field with phone numbers redacted.
as(replace(cast(get("body"), "string"), /[0-9]{3}[-.][0-9]{3}[-.][0-9]{4}/, "<redacted>"), "body");
rtrim
Takes two arguments X and Y and returns X with the characters in Y trimmed from the right side. Use this scalar function with the eval or the filter streaming functions.
- Function Input
- str: string
- strip-chars: string
- Function Output
- string
DSL example
Returns " ZZZZabc".
rtrim(" ZZZZabcZZ", " Z");
rtrim
Takes an argument X and returns X with whitespaces removed from the right side. Use this scalar function with the eval or the filter streaming functions.
- Function Input
- string
- Function Output
- string
DSL example
Returns " abc".
rtrim(" abc ");
spath
This function extracts a value from a map or collection. Use this function to extract a value from a nested map or collection. To extract a value from a JSON string, convert your JSON string to a map. See the from_json_object scalar function and the DSL example below.
For more information on the syntax of the path argument, see the path syntax in the Splunk Enterprise documentation.
The Data Stream Processor spath function does not have an auto-extract mode and does not accept JSON or XML strings.
- Function Input
- input: union<collection<any>, map<string,any>>
- path: string
- Function Output
- union<string, bytes, boolean, integer, long, float, double, collection<any>, map<string,any>>
DSL example
Returns baz.
spath(from_json_object("{\"foo\": [{\"bar\": \"baz\"}]}"), "foo{0}.bar");
substring
This function takes two arguments X and Y where X is a string and Y is a numeric. This function returns a substring of X, starting at the index specified by Y.
- Function Input
- str: string
- start: integer
- Function Output
- string
DSL example
Returns "bar".
substr("foobar", 4);
substring
This function takes three arguments. The required arguments are X, a string, and Y, a numeric. This function also takes an optional argument Z, also a numeric. This function returns a substring of X, starting at the index specified by Y with the number of characters specified by Z.
- Function Input
- str: string
- start: integer
- length: integer
- Function Output
- string
DSL example
Returns "foo".
substr("foobar", 1,3 );
trim
Takes two arguments X and Y and returns X with the characters in Y trimmed from both sides. Use this scalar function with the eval or the filter streaming functions.
- Function Input
- str: string
- strip-chars: string
- Function Output
- string
DSL example
Returns abc.
trim(" ZZZZabcZZ ", " Z");
trim
Takes an argument X and returns X with whitespaces removed from both sides. Use this scalar function with the eval or the filter streaming functions.
- Function Input
- string
- Function Output
- string
DSL example
Returns abc.
trim(" abc ");
upper
Converts a string to uppercase.
- Function Input
- string
- Function Output
- string
DSL example
Returns HELLO.
upper("hello");
url_decode
Takes a URL string and returns the unescaped or decoded URL string.
- Function Input
- string
- Function Output
- string
DSL example
Returns http://www.splunk.com/download?r=header.
url_decode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader");
url_encode
Encodes a string for the query string parameters in a URL. Use this function when you want to include user-supplied string data in a URL.
- Function Input
- string
- Function Output
- string
DSL example
Returns Jane+A+Smith.
url_encode("Jane A Smith");
|
PREVIOUS Multivalue |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.0.1
Feedback submitted, thanks!