Iterator
The following scalar functions operate on an iterator. Use these functions to process or transform elements of a list.
filter(ITERATOR, Y)
Filters elements of the ITERATOR based on the boolean expression Y. You must use this function in conjunction with the iterator scalar function, as shown in the example.
- Function Input
- iterator: The function that defines the list to filter
- predicate: expression<boolean>. If this returns true, the value is kept. If false, it is discarded.
- Function Output
- collection<T>
- This function outputs a list of type T, where T is the element type of the iterator.
SPL2 example
If the incoming record has a field called list
containing the values [1, 2, 3, 4]
, return a new list in results
with the list [1, 2]
.
...| eval results=filter(iterator(list, "x"), cast(x, "integer")<3);
for_each(ITERATOR, Y)
For each element of ITERATOR, evaluate expression Y and return a new list containing the results. You must use this function in conjunction with the iterator scalar function, as shown in the example.
- Function Input
- iterator: The function that defines the list to transform.
- mapper: The function to apply to each element in the iteration.
- Function Output
- collection<R>
- This function outputs a list of type R, where R is the element type of the iterator or the data type associated with the mapper function.
1. SPL2 example
If the incoming record has a field called string_list containing the values ["a","b","c"]
, outputs a new list where each element of the list is prepended with foo_
: ["foo_a", "foo_b", "foo_c"]
.
...| eval string_results=for_each(iterator(string_list, "x"), concat(["foo_", x]));
2. SPL2 example
If the input record has a field called list containing the values [1,2,3]
and the list type is long
, then the following example adds 100 to each value and puts the new list [101, 102, 103]
in a new field called results
.
... | eval results=for_each(iterator(list, "numval"), add(cast(100, "long"), cast(numval, "long")));
3. SPL2 example
This example adds two new key-value pairs type
and unit
to the metrics map. If the incoming records have a body containing a list of metric maps such as Record{"body"=[{"name"="abc", "value"=123}, {"name"="xyz", "value"=789}]}
, then the following example adds type
and unit
to the metrics map Record{"body"=[{"name"="abc", "unit"="percent", "type"="g", "value"=123}, {"name"="xyz", "unit"="percent", "type"="g", "value"=789}]}
.
...| eval body=for_each(iterator(map_list, "x"), map_set(x, ["type", "g", "unit", "percent"]));
iterator(X, Y)
Iterates through a list X and temporarily assigns each element in list X as Y. You must use this function in combination with the functions for_each
and filter
.
Using this function by itself throws a "Schema cannot assign an IteratorType to a field" error. This function must be used with an iterator scalar function, such as For_Each or Filter.
- Function Input
- input: collection<R>
- fieldName: string
- Function Output
- list of any type T
Argument | Input | Description |
---|---|---|
input | collection<R> | A list of type T, where T is any type. For example, the input of this function can be a list of strings, list of numbers, list of maps, list of lists, or a list of mixed types. |
fieldName | string | A temporary or local variable name for each element in the list. Use this variable name to refer to the elements of this list when using the Filter or For_Each iterator functions. |
SPL2 example
Prepends "foo_" to each element of string_list.
...| eval string_results=for_each(iterator(string_list, "x"), concat(["foo_", x]));
Date and Time | List |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0
Feedback submitted, thanks!