Splunk® Data Stream Processor

Function Reference

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Iterator

The following scalar functions operate on an iterator. Use these functions to process or transform elements of a list.

filter(ITERATOR, Y)

Filters elements of the ITERATOR based on the boolean expression Y. You must use this function in conjunction with the iterator scalar function, as shown in the example.

Function Input
iterator: The function that defines the list to filter
predicate: expression<boolean>. If this returns true, the value is kept. If false, it is discarded.
Function Output
collection<T>
This function outputs a list of type T, where T is the element type of the iterator.

SPL2 example

If the incoming record has a field called list containing the values [1, 2, 3, 4], return a new list in results with the list [1, 2].

...| eval results=filter(iterator(list, "x"), cast(x, "integer")<3);

for_each(ITERATOR, Y)

For each element of ITERATOR, evaluate expression Y and return a new list containing the results. You must use this function in conjunction with the iterator scalar function, as shown in the example.

Function Input
iterator: The function that defines the list to transform.
mapper: The function to apply to each element in the iteration.
Function Output
collection<R>
This function outputs a list of type R, where R is the element type of the iterator or the data type associated with the mapper function.

1. SPL2 example

If the incoming record has a field called string_list containing the values ["a","b","c"], outputs a new list where each element of the list is prepended with foo_: ["foo_a", "foo_b", "foo_c"].

...| eval string_results=for_each(iterator(string_list, "x"), concat(["foo_", x]));

2. SPL2 example

If the input record has a field called list containing the values [1,2,3] and the list type is long, then the following example adds 100 to each value and puts the new list [101, 102, 103] in a new field called results.

... | eval results=for_each(iterator(list, "numval"), add(cast(100, "long"), cast(numval, "long")));

3. SPL2 example

This example adds two new key-value pairs type and unit to the metrics map. If the incoming records have a body containing a list of metric maps such as Record{"body"=[{"name"="abc", "value"=123}, {"name"="xyz", "value"=789}]} , then the following example adds type and unit to the metrics map Record{"body"=[{"name"="abc", "unit"="percent", "type"="g", "value"=123}, {"name"="xyz", "unit"="percent", "type"="g", "value"=789}]}.

...| eval body=for_each(iterator(map_list, "x"), map_set(x, ["type", "g", "unit", "percent"]));

iterator(X, Y)

Iterates through a list X and temporarily assigns each element in list X as Y. You must use this function in combination with the functions for_each and filter.

Using this function by itself throws a "Schema cannot assign an IteratorType to a field" error. This function must be used with an iterator scalar function, such as For_Each or Filter.

Function Input
input: collection<R>
fieldName: string
Function Output
list of any type T
Argument Input Description
input collection<R> A list of type T, where T is any type. For example, the input of this function can be a list of strings, list of numbers, list of maps, list of lists, or a list of mixed types.
fieldName string A temporary or local variable name for each element in the list. Use this variable name to refer to the elements of this list when using the Filter or For_Each iterator functions.

SPL2 example

Prepends "foo_" to each element of string_list.

...| eval string_results=for_each(iterator(string_list, "x"), concat(["foo_", x]));
Last modified on 05 August, 2020
Date and Time   List

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters