Conditional
Cidrmatch("X",Y)
Returns TRUE or FALSE based on whether an IPv4 address matches an IPv4 CIDR notation. Use this function to determine if an IPv4 address belongs to a particular subnet. This function returns TRUE, when IP address Y belongs to a particular subnet X. Both X and Y are string arguments. X is the CIDR subnet. Y is the IP address to match with the subnet. IPv6 is not supported.
- Function Input
- cidr-range: String
- ip: String
- Function Output
- String
SPL2 example
The following example uses the cidrmatch function as a filter to remove events that do not match the ip address:
... | where cidrmatch("10.0.0.0/8", ip);
Coalesce(X,...)
This function takes a variable number of arguments and returns the first value that is not NULL.
- Function Input
- type: collection<R>
- Function Output
- R
SPL2 example
Suppose you have a set of records where the IP address is extracted to either host or ipaddress. This example defines a new field called ip, that takes the value of either the host field or ipaddress field, depending on which field is not NULL (does not exist in that record). If both the host and ipaddress field exist in the record, this function returns the first argument, the host field.
...| eval ip=coalesce(host, ipaddress);
If(X,Y,Z)
Assigns an expression if the value is true, and another expression if the value is false.
- Function Input
- predicate: boolean
- then: T
- else: T
- Function Output
- type: T
SPL2 example
If the value of the "kind" field is event, send my data to the index "main". If the value of the "kind" field is not event, send my data to the "metrics".
...| into write_index("", if(kind="event", "main", "metrics"));
In(FIELD, VALUE-LIST)
This function returns TRUE if one of the values in the list matches a value in the field you specify. This function also accepts map and list arguments, as shown in the SPL2 example below. This function accepts a variable number of arguments. Use this scalar function with the eval or the where streaming functions.
The following syntax is supported:
...| where in(field,"value1","value2", ...)...| where field in("value1","value2", ...)...| eval new_field=if(in(field,"value1","value2", ...), "value-if_true","value-if-false")
The eval function cannot accept a Boolean value. You must specify the IN function inside the IF function, which can accept a Boolean value as input.
The string values must be enclosed in quotation marks. You cannot specify wildcard characters with the values to specify a group of similar values, such as HTTP error codes or CIDR IP address ranges. Use the IN operator instead.
- Function Input
- value: any
- test-values: collection<any>
- Function Output
- boolean
1. SPL2 example
The following example uses the in function as the first parameter for the if function. The evaluation expression returns TRUE if the value in the status field matches one of the values in the list.
...| eval error=if(in(status, "error", "failure", "severe"),"true","false");
2. SPL2 example
The following example uses the where function to return TRUE if one of the values in the status_code field matches one of the values in the list.
...| where in("status_code", ["400", "401", "403", "404"]);
3. SPL2 example
The following example uses the eval function to return true if the nested index field in attributes contains the value _internal or _metrics.
... | eval n=if(in(map_get(attributes, "index"), "_internal", "_metrics"), "true", "false");
Like(TEXT, PATTERN)
This function takes two arguments, a string to match TEXT and a string expression to match PATTERN. It returns TRUE if, and only if, TEXT matches PATTERN. The pattern language supports an exact text match, as well as percent ( % ) characters for wildcards and underscore ( _ ) characters for a single character match. Use this scalar function with the eval or the where streaming functions.
Because "_" is a special character for this function, the string you want to match cannot contain "_". To match a string containing "_", use the IN function instead.
- Function Input
- input: string
- pattern: string
- Function Output
- boolean
SPL2 example
The following example uses the where function to return like=TRUE if the host field starts with the value 198. The percent ( % ) symbol is a wildcard with the like function:
... | where like(host, "198.%");
Null if equal (X,Y)
Compare two fields, X and Y, and returns NULL if X = Y. Use this scalar function with the eval or the where streaming functions.
- Function Input
- left: T
- right: any
- Function Output
- T
SPL2 example
The following example returns NULL if fieldA=fieldB. Otherwise the function returns fieldA.
...| eval n=nullif(fieldA,fieldB);
Validate(X,Y,...)
This function takes pairs of arguments, Boolean expressions X and strings Y. The function returns the string Y corresponding to the first expression X that evaluates to FALSE. If all evaluate to TRUE, this function returns NULL. Use this scalar function with the eval, where, or select streaming functions.
- Function Input
- tests-and-values: collection<union<boolean, string>>
- Function Output
- string
SPL2 example
The following example runs a simple check for valid ports.
... | eval n=validate(isint(port), "ERROR: Port is not an integer", port >= 1 AND port <= 65535, "ERROR: Port is out of range");
| Casting | Conversion |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0
Download manual
Feedback submitted, thanks!