Splunk® Data Stream Processor

Function Reference

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of DSP. Click here for the latest version.
Acrobat logo Download topic as PDF

Functions by category

Use the following section as a reference of available streaming and scalar functions.

Streaming functions

These functions are visible in the UI. Streaming functions are full nodes in the pipeline with edges that data flows through. Data streams from one node (the streaming function) through its edge to the next node (streaming function). Streaming functions can use scalar functions.

Functions Description
Aggregate and Trigger Triggers an event output based on a custom condition over a set of aggregated events.
Batch Records Batches records before sending them to an index or a third-party sink.
Bin Puts continuous numerical values into discrete sets, or bins, by adjusting the value of <field> so that all of the items in a particular set have the same value.
Break Events Break events using a Java regular expression as a delimiter.
Eval Calculate an expression and put the resulting value into the record as a new field.
Extract Timestamp Extract a timestamp using the first rule that matches.
Fields Select a subset of fields from a record.
From Used to retrieve data from a specific source function in the SPL2 Pipeline Builder.
Into Used to send data to a specific sink function in the SPL2 Pipeline Builder.
Key_by Group a stream of records by one or more field(s) and returns a grouped stream.
Merge Events Parses data received from a universal forwarder into a stream of complete events for a Splunk Index.
Mvexpand Expand the values in a multivalue field into separate events, one event for each value in the multivalue field.
Parse regex (rex) Extract or rename fields using Java regular expression-named capturing groups.
Rename Rename one or more fields.
Select Assigns an alternative name to a field or applies scalar functions to a group of fields.
Stats Applies one or more aggregation functions on a stream of events in a specified time window.
To Splunk JSON Format records to adhere to the Splunk HEC event JSON or the Splunk HEC metric JSON format.
Union Combines streams with the same input schema into one stream with all of the events of the input streams.
Where Keep records that pass a Boolean function.

Streaming source and sink functions

These functions are visible in the UI and are source or sink functions.

Functions Description
Amazon CloudWatch Metrics Read data from Amazon CloudWatch Metrics.
Amazon Metadata Connector Read metadata from Amazon Web Services (AWS).
Amazon S3 Connector Read data from Amazon S3.
Azure Event Hubs Using SAS key Read data from Azure Event Hubs Using SAS key.
Azure Monitor Metrics Connector Read data from Microsoft Azure Monitor.
Google Cloud Monitoring Metrics Connector Read data from Google Cloud Monitoring.
Microsoft 365 Connector Read data from the Office 365 Management Activity API.
Read from Amazon Kinesis Reads data from Amazon Kinesis.
Read from Kafka

Reads data from Apache or Confluent Kafka.

Read from Splunk Firehose Reads data sent from Splunk DSP Ingest, Forwarders, and Collect API Services.
Receive from Ingest REST API Reads data from the Ingest REST API.
Receive from Splunk Forwarders Reads data from the Splunk Forwarders Service.
Write to the Splunk platform with Batching Send data to an external Splunk Enterprise environment. The Splunk Enterprise Indexes function combines the actions of three underlying DSP functions into one for user convenience: To Splunk JSON, Batch Bytes, Splunk Enterprise.
Write to the Splunk platform Writes data to an external Splunk Enterprise environment.
Write to the Splunk platform (Default for Environment) Writes data to your default, pre-configured Splunk Enterprise instance.
Write to Kafka Writes data to a Kafka topic using a Kafka connection.
Write to Kinesis Writes data to a Kinesis Stream using an AWS access key and secret key authentication.
Write to Null Writes data to a null sink.
Write to S3-compatible storage Writes data to Amazon S3.
Write to SignalFx Writes data to SignalFx.
Write to Azure Event Hubs Using SAS Key (Beta) Writes data to Azure Event Hubs using an SAS key.

Scalar functions

Scalar functions are not full nodes in a pipeline, but instead, help perform certain operations inside of a streaming function. You can use scalar functions to do things like addition and subtraction, comparisons, conversions, or other similar tasks.

Scalar functions operate in the context of the streaming function that they are called in.

Function Category Function list Description
Casting functions cast Converts an expression from one data type to another.
ucast Provides a way to cast maps and collections, regardless of the data type that the map or collection may contain.
Aggregate functions average Returns the average of the values in the field X.
count Returns the number of non-null values in a time window.
max Returns the maximum value in a time window.
mean Calculates the average (mean) of values in a time window.
min Returns the minimum value in a time window.
sum Returns the sum of values in a time window.
Conditional scalar functions coalesce Takes a variable number of arguments and returns the first value that is not NULL.
in Returns TRUE if one of the values in a list matches a value in the field you specify.
like Returns TRUE if TEXT matches PATTERN.
null if equal (nullif) Compares two fields, A and B, and returns NULL if A = B.
validate Returns string Y corresponding to the first expression X that evaluates to FALSE.
Conversion scalar functions base64_encode Converts a byte array value to a Base64-encoded string.
base64_decode Converts a Base64-encoded string to bytes.
tostring Converts a number to a string.
to_string Converts a byte array to a String.
gzip Returns Gzipped-compressed bytes.
gunzip Decompresses a GZipped byte array.
deserialize_json_object Converts a JSON byte string into a map.
from_json_array Converts a JSON string into an array of the JSON structure, including nested keys.
from json object Converts a JSON string into a map of the JSON structure, including nested keys.
inet_aton Converts a string IPv4 or IPv6 IP address and returns the address as type Long.
inet_ntoa Converts a decimal IP address to dotted-decimal form.
parse_bool Parses a string as a boolean.
parse_double Parses a string and returns the numeric value as a Double.
parse_float Parses a string and returns the numeric value as a Float.
parse_int Parses a string as an integer.
parse long Parses a string and returns the numeric value as Long.
serialize_json Converts the current record into a JSON byte string.
serialize_json_collection Converts a map of JSON structure into a JSON byte array.
to_bytes Converts a string to a byte string.
to_json Converts a map of a JSON object's structure to a JSON string.
Cryptographic scalar functions md5 Computes and returns the MD5 hash of a byte value X.
sha1 Computes and returns the secure hash of a byte value X based on the FIPS compliant SHA-1 hash function.
sha256 Computes and returns the secure hash of a byte value X based on the FIPS compliant SHA-256 hash function.
sha512 Computes and returns the secure hash of a byte value X based on the FIPS compliant SHA-512 hash function.
Date and Time scalar functions relative_time Applies a relative time specifier to a UNIX time value.
strftime This function formats a UNIX timestamp into a human-readable timestamp.
strptime This function parses a date string into a UNIX timestamp.
time This function returns the wall-clock time, in the UNIX time format, with millisecond resolution.
Iterator scalar functions filter Filters elements of a list.
for_each For each element of a list, evaluate an expression Y and return a new list containing the results.
iterator Iterates through a list and temporarily assigns each element in list for use in the iterator scalar functions.
List scalar functions length Returns the character length of a given input.
mvdedup Removes duplicates from a list.
mvappend Takes an arbitrary list of arguments, where each argument is a single string or a list of strings, and returns all elements as a single flattened list.
mvindex Returns the element at the list at the index.
mvjoin Takes all of the values in a list and appends them together delimited by STR.
mvrange Returns a list for a range of numbers.
mvsort Takes a list and returns the list with the elements of the list sorted lexicographically.
Map scalar functions contains_key Checks a map for a specified key.
flatten Flattens a list or a map
map_delete Removes a key from a map.
map_get Returns the value corresponding to a key in the map input.
map_keys Returns a list of keys in a map.
map_set Insert or overwrite key-value pairs in a map.
map_values Returns all values in a map.
Mathematical scalar functions abs Takes a number and returns its absolute value.
ceiling Rounds a number up to the next highest integer.
exp Takes a number X and returns the exponential ex.
floor Rounds a number down to the nearest whole integer.
log Takes one or two numbers and returns the logarithm of the first argument X using the second argument Y as the base.
natural logarithm (ln) Takes a number X and returns its natural logarithm.
pi Returns the constant pi to 11 digits of precision.
power of base (pow) Takes two numbers, X and Y, and returns XY.
random integer (randomint) Returns a random integer in the range of 0 to 231-1.
round value (round) Takes two numbers, X and Y, and returns X rounded to the amount of decimal places specified by Y.
round value (round) Takes a number X and returns X rounded to the nearest whole number.
sqrt Takes a number X and returns its square root.
String manipulation scalar functions concat Combines the first and second strings together.
extract_grok Extracts matching groups with a Grok-compatible pattern.
extract_key_value Extract key-value pairs.
extract_regex Uses a Java regular expression to extract capturing groups from the input.
join Joins a list of strings using a delimiter and returns a single string.
len Returns the character length of a string.
lower Converts a string to lowercase.
ltrim Trims extra characters from the left side.
match_regex Matches inputs against a pattern defined with a Java regular expression.
match_wildcard Matches inputs against a wildcard pattern.
replace Performs a regex replacement on a string.
rtrim Trims extra characters from the right side.
spath Extract a value from a map or collection.
split Splits a string using a delimiter.
substr Returns a substring of a string.
trim Trim extra characters.
upper Converts a string to uppercase.
url_decode Takes a URL string and returns the unescaped or decoded URL string.
url_encode Encodes a string for the query string parameters in a URL.
Last modified on 10 September, 2020
Structure of DSP function descriptions

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters