On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor.
For documentation on the most recent version, go to the latest release.
Break Events
This topic describes how to use the function in the Splunk Data Stream Processor.
Description
Break grouped events from a universal forwarder into multiple events using a valid regular expression as the delimiter.
Function Input/Output Schema
- Function Input
- collection<record<R>>
- This function takes in collections of records with schema R.
- Function Output
- collection<record<R>>
- This function outputs collections of records with schema R.
Syntax
The required fields are in bold font.
- break_events
- content=<field>
- delimiter=<regular-expression>
- [output=<newfield>]
Required arguments
- Content
- Syntax: <field>
- Description: The field whose values will be broken into single events.
- Delimiter
- Syntax: <regular-expression>
- Description: A Java regular expression delimiter used to break events.
Optional arguments
- Output
- Syntax: <string>
- Description: The name of the output field in the new event.
- Default: body
SPL2 example
Examples of common use cases follow:
1. Break events using a new line as a delimiter.
...| break_events content=host delimiter=/\n/ output=new_field|...;
Last modified on 21 July, 2020
| Bin | Eval |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0
Download manual
Feedback submitted, thanks!