On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor.
For documentation on the most recent version, go to the latest release.
For Each (map)
This topic describes how to use the function in the Splunk Data Stream Processor.
Description
Applies a mapper function to each event in a stream and returns a record. Use this function to edit an existing field, like a field in attributes. You can also use For Each to put a new field in a map object, like attributes as well. The API function name of For Each is map.
Function Input/Output Schema
- Function Input
collection<record<R>>- This function takes in collections of records with schema R.
- Function Output
collection<record<S>>- This function outputs the same collection of records but with a different schema S.
Required arguments
| Argument | Input | Description | UI example |
|---|---|---|---|
| mapper | expression<record<S>> | Applies a mapper scalar function to each record. Unlike Eval, the For Each function is not variadic and only accepts one mapper scalar function as an argument. If you put more than one mapper function, an error is thrown. | map-put("attributes", "index", "metrics");
|
SPL2 example
In a map object field, like attributes, set the key "index" to value "metrics":
map(input, map-put("attributes", "index", "metrics"));
Last modified on 20 March, 2020
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0
Download manual
Feedback submitted, thanks!