Splunk® Data Stream Processor

Function Reference

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Conversion

The following scalar functions convert a value of a given data type into another data type.

base64_decode

Converts a Base64-encoded string to bytes. It returns null if the value is null or if the conversion fails.

Function Input
string
Function Output
bytes

SPL2 example

...| eval value_decoded= base64_decode(to_string(value)); 

base64_encode

Converts a byte array value to a Base64-encoded string. It returns null if the value is null or if the conversion fails.

Function Input
bytes
Function Output
string

1. SPL2 example

...| where body=base64_encode(to_bytes("foo"));

2. SPL2 example

Extracts the value in RecordNumber, hashes the value, and returns the value in new field HashedRecordNumber as hashed_record_number=<hashedRecordNumber>

...| eval hashedrecordnumber=concat("hashed_record_number=",base64_encode(md5(to_bytes(RecordNumber))));

cast

For documentation on the cast function, see cast.

deserialize_json_object

Converts a JSON byte string into a map.

Function Input
bytes
Function Output
map<string, any>

SPL2 example

Deserializes the field value.

| from read_kafka("kafka-conn-id-1", "kafka_dsp_topic-1") | eval json=deserialize_json_object(value);

from_json_array

Converts a JSON string into an array of the JSON structure, including nested keys.

Function Input
JSON character string
Function Output
collection<any>

SPL2 example

Returns foo.

...| eval n=spath(from_json_array("[\"foo\", \"bar\", \"baz\"]"), "{0}");

from_json_object

Converts a JSON string into a map of the JSON structure, including nested keys.

Function Input
JSON character string
Function Output
map<string, any>

SPL2 example

Returns {"foo":"bar"} in field jsonmap.

... | eval jsonmap=from_json_object("{\"foo\": \"bar\"}");

gunzip

Decompresses a GZipped byte array. It returns null if the byte array is null or the gunzip fails.

Function Input
bytes
Function Output
bytes

SPL2 example

Decompresses the json-body field.

...|eval n= gunzip(json-body);

gzip

Returns Gzipped-compressed bytes. It returns null if the Byte array is null or the zip fails.

Function Input
bytes
Function Output
bytes (containing gzipped bytes)

SPL2 example

Gzips the field json-body.

...|eval n= gzip(json-body);

inet_aton

Converts a string IPv4 or IPv6 IP address and returns the address as type Long. Because IPv6 IP addresses are 128-bits, the return value is the lower 64-bits stored as type Long.

Function Input
string
Function Output
long

SPL2 example

Returns 2130706433L.

...|eval ip= inet_aton("127.0.0.1");

inet_ntoa

Converts a decimal IP address to dotted-decimal form.

Function Input
long
Function Output
string

SPL2 example

Returns 127.0.0.1.

...|eval ip= inet_ntoa(2130706433L);

parse_bool

Parses a string as a boolean. Returns TRUE when the string is case-insensitive equal to "true". Returns FALSE when the string is case-insensitive equal to "false". Returns null on failure.

Function Input
string
Function Output
boolean

SPL2 example

Returns true.

...| eval n=parse_bool("True");

parse_double

Parses a string and returns the numeric value as a Double. Returns null if the value is null or is not a valid Double.

Function Input
string
Function Output
double

SPL2 example

Returns 1.5 as type double.

...| eval n=parse_double("1.5");

parse_float

Parses a string and returns the numeric value as a Float. Returns null if the value is null or is not a valid Float.

Function Input
string
Function Output
float

SPL2 example

Returns 3.1415 as a float.

...| eval n=parse_float("3.1415");

parse_int

Parses a string as an integer. Returns null if the value is null or is not a valid integer.

Function Input
string
Function Output
int

SPL2 example

Extracts HTTP-STATUS from body, parses the HTTP-STATUS string as an int, and returns the value in http_code.

...| eval http_code=parse_int(map_get(extract_regex(cast(body, "string"), /HTTP-STATUS=(\d+)/), "1"));

parse_long

Parses a string and returns the numeric value as Long. Returns null if the value is null or is not a valid Long.

Function Input
string
Function Output
long

SPL2 example

Returns 45 as a long.

...| eval n=parse_long("45");

serialize_json

Serializes the current record into a JSON byte string.

Function Input
null
Function Output
bytes

SPL2 example

Serialize the record and outputs the record as a JSON byte string in body.

...| select serialize_json() AS body; 

serialize_json_collection

Converts a map of JSON structure into a JSON byte array.

Function Input
collection<any>
Function Output
bytes

SPL2 example

Serializes the map in attributes to bytes.

... | eval attributes={"data": serialize_json_collection(["source", source, "source_type", source_type, "body", body])};

to_bytes

Converts a string to a byte string. You can optionally set a character encoding.

Function Input
string
encoding (Optional): string
Function Output
bytes

1. SPL2 example

The following example converts the values for the foo field to bytes.

...| eval n=to_bytes(foo)

2. SPL2 example

The following example converts "somestring" into bytes with UTF-8 encoding.

...| eval n=to_bytes("somestring", "UTF-8");

to_json

Converts a map of a JSON object's structure to a JSON string.

Function Input
map<string, any>
Function Output
string

SPL2 example

Returns {"foo":"bar"} in a new top-level field called json.

... | eval json=to_json({"foo": "bar"});

to_string

Converts a byte array value to a UTF-8 encoded string. It returns null if the value is null or the conversion fails.

Function Input
bytes
Function Output
string

SPL2 example

Outputs a single field, stringified, containing the string value of attributes.

...| select to_string(get(map_get(attributes, "key"), "bytes")) AS stringified;

tostring

Converts the input value to a string. If the input type is a number, it reformats it according to the format string. If the input value is a Boolean value, it returns the corresponding string value, "True" or "False".

Function Input
value
(Optional) format, only valid when value is a number.
Function Output
string

The tostring function supports an optional second argument of one of the following options: "hex", "commas", or "duration".

Examples Description
tostring(X,"hex") Converts X to hexadecimal.
tostring(X,"commas") Formats X with commas. If the number includes decimals, the function rounds to nearest two decimal places.
tostring(X,"duration") Converts seconds X to the readable time format HH:MM:SS.

1. SPL2 example

Returns "1000".

... | eval n=tostring(1000);

2. SPL2 example

Returns "0xF".

... | eval n= tostring(15, "hex");

ucast

For documentation on the ucast function, see ucast.

Last modified on 09 October, 2020
Conditional   Cryptographic

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters