Splunk® Data Stream Processor

Function Reference

Acrobat logo Download manual as PDF


On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Conditional

Cidrmatch("X",Y)

Returns TRUE or FALSE based on whether an IPv4 address matches an IPv4 CIDR notation. Use this function to determine if an IPv4 address belongs to a particular subnet. This function returns TRUE, when IP address Y belongs to a particular subnet X. Both X and Y are string arguments. X is the CIDR subnet. Y is the IP address to match with the subnet. IPv6 is not supported.

Function Input
cidr-range: String
ip: String
Function Output
String

SPL2 example

The following example uses the cidrmatch function as a filter to remove events that do not match the ip address: 

... | where cidrmatch("10.0.0.0/8", ip);

Coalesce(X,...)

This function takes a variable number of arguments and returns the first value that is not NULL.

Function Input
type: collection<R>
Function Output
R

SPL2 example

Suppose you have a set of records where the IP address is extracted to either host or ipaddress. This example defines a new field called ip, that takes the value of either the host field or ipaddress field, depending on which field is not NULL (does not exist in that record). If both the host and ipaddress field exist in the record, this function returns the first argument, the host field. 

...| eval ip=coalesce(host, ipaddress);

If(X,Y,Z)

Assigns an expression if the value is true, and another expression if the value is false.

Function Input
predicate: boolean
then: T
else: T
Function Output
type: T

SPL2 example

If the value of the "kind" field is event, send my data to the index "main". If the value of the "kind" field is not event, send my data to the "metrics". 

...| into write_index("", if(kind="event", "main", "metrics"));

In(FIELD, VALUE-LIST)

This function returns TRUE if one of the values in the list matches a value in the field you specify. This function also accepts map and list arguments, as shown in the SPL2 example below. This function accepts a variable number of arguments. Use this scalar function with the eval or the where streaming functions.

The following syntax is supported:

...| where in(field,"value1","value2", ...)
...| where field in("value1","value2", ...)
...| eval new_field=if(in(field,"value1","value2", ...), "value-if_true","value-if-false")

The eval function cannot accept a Boolean value. You must specify the IN function inside the IF function, which can accept a Boolean value as input.

The string values must be enclosed in quotation marks. You cannot specify wildcard characters with the values to specify a group of similar values, such as HTTP error codes or CIDR IP address ranges. Use the IN operator instead.

Function Input
value: any
test-values: collection<any>
Function Output
boolean

1. SPL2 example

The following example uses the in function as the first parameter for the if function. The evaluation expression returns TRUE if the value in the status field matches one of the values in the list. 

...| eval error=if(in(status, "error", "failure", "severe"),"true","false");

2. SPL2 example

The following example uses the where function to return TRUE if one of the values in the status_code field matches one of the values in the list. 

...| where in("status_code", ["400", "401", "403", "404"]);

3. SPL2 example

The following example uses the eval function to return true if the nested index field in attributes contains the value _internal or _metrics. 

... | eval n=if(in(map_get(attributes, "index"), "_internal", "_metrics"), "true", "false");

Like(TEXT, PATTERN)

This function takes two arguments, a string to match TEXT and a string expression to match PATTERN. It returns TRUE if, and only if, TEXT matches PATTERN. The pattern language supports an exact text match, as well as percent ( % ) characters for wildcards and underscore ( _ ) characters for a single character match. Use this scalar function with the eval or the where streaming functions.

Because "_" is a special character for this function, the string you want to match cannot contain "_". To match a string containing "_", use the IN function instead.

Function Input
input: string
pattern: string
Function Output
boolean

SPL2 example

The following example uses the where function to return like=TRUE if the host field starts with the value 198. The percent ( % ) symbol is a wildcard with the like function: 

... | where like(host, "198.%");

Null if equal (X,Y)

Compare two fields, X and Y, and returns NULL if X = Y. Use this scalar function with the eval or the where streaming functions.

Function Input
left: T
right: any
Function Output
T

SPL2 example

The following example returns NULL if fieldA=fieldB. Otherwise the function returns fieldA. 

...| eval n=nullif(fieldA,fieldB);

Validate(X,Y,...)

This function takes pairs of arguments, Boolean expressions X and strings Y. The function returns the string Y corresponding to the first expression X that evaluates to FALSE. If all evaluate to TRUE, this function returns NULL. Use this scalar function with the eval, where, or select streaming functions.

Function Input
tests-and-values: collection<union<boolean, string>>
Function Output
string

SPL2 example

The following example runs a simple check for valid ports. 

... | eval n=validate(isint(port), "ERROR: Port is not an integer", port >= 1 AND port <= 65535, "ERROR: Port is out of range");
Last modified on 17 July, 2020
PREVIOUS
Casting 		  NEXT
Conversion

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters