Splunk® Data Stream Processor

Function Reference

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

String manipulation

concat

Combines string values. This function accepts a variable number of arguments.

Function Input
collection<string>
Function Output
string

1. SPL2 example

Returns Jane A Smith in the host field.

...| eval host=concat("Jane", " ", "A", " ", "Smith");

2. SPL2 example

Prepends "asa_" to the value of "source_type".

...| eval source_type=concat("asa_", "source_type");

extract_grok

Extracts matching groups with a Grok-compatible pattern and returns a map of group names to matching groups when the pattern is matched against the input. It returns null if the input is null or the pattern is invalid.

Function Input
input: string
pattern: string
Function Output
map<string, string>

SPL2 example

Returns "IPV4": "10.10.10.10" in ip_address.

... | eval ip_address=extract_grok("FOO 10.10.10.10 BAR", "%{IPV4}");

extract_key_value

Extracts the key-value pairs and returns a map of the key-value pairs. The keys and values are separated with a key value delimiter, and pairs are separated with a pair delimiter. It returns null if the input is null or the key value delimiter is null or empty.

Function Input
input: string
key-value-delimiter: string
pair-delimiter: string
Function Output
map<string, string>

1. SPL2 example

Returns {"key1":"value1","key2":"value2","key3":"value3"}.

| eval n=extract_key_value("key1=value1;key2=value2;key3=value3", "=", ";");

2. SPL2 example

Extracts key-value pairs from body.

...| eval extracted_body=extract_key_value(cast(body, "string"), "=", " ");

extract_regex

Extracts capturing groups from inputs with regular expressions and returns a map of all extracted, matched fields in the format: {"capture_group_1": "matching_expression_1", "capture_group_N":"matching_expression_N"}. If you do not name the capturing group, the group names are returned as "1", "2", "3", "N", etc. For example, extract_regex with the regex (?<host>[^\.]+) returns a map with the key host whose value is the value of the extracted capture group. For a non-named capture group, extract_regex with the regex ([^\.]+) will return a map with key 1 whose value is the value of the extracted capture group. To name your capturing group, start your regular expression pattern with ?<capturing-group-name>, as shown in the SPL2 examples. Use this function if you want your extracted data to be nested in a single field.

Function Input
first: string
pattern: regex
Function Output
map<string, string>

1. SPL2 example

Extracts ASA-x-xxxxxx values from the body field using a named capturing group.

...| eval asa=extract_regex(cast(body, "string"), /(?<ASA>ASA-\d-\d{6})/i);

2. SPL2 example

Extracts a six digit number from value and places that value in the field numbers.

...| select extract_regex(to_string(value), /\d{6}/) AS numbers;

len

Returns the character length of a string X.

Function Input
string
Function Output
integer

SPL2 example

Filters records by source character limit.

...| where 6=len(source);

lower

Converts a string to lowercase.

Function Input
string
Function Output
string

SPL2 example

Filters records by source bar.

...| where source=lower("BAR");

ltrim

This function takes two arguments. The required argument is X, a string. This function also takes an optional argument Y, also a string. This function returns either X with whitespaces removed from the left side or X with the characters in Y trimmed from the left side.

Function Input
str: string
strip-chars (Optional): string
Function Output
string

1. SPL2 example

Returns "abczz ".

...| eval n=ltrim(" ZZZZabcZZ ", " Z");

2. SPL2 example

Returns "abc ".

...| eval n=ltrim(" abc ");

match_regex

Matches inputs against regular expressions and returns true if the pattern matches against the input, otherwise it returns False.

Function Input
input: string
pattern: pattern
Function Output
boolean

SPL2 example

Filters records that contain an ASA number in body.

...| where match_regex(cast(body, "string"), /%ASA-\d-\d{6}/);

match_wildcard

Matches inputs against a pattern with wildcards. Returns true on a successful match, otherwise it returns false.

Function Input
input: string
pattern: string
Function Output
boolean

SPL2 example

Returns true in sensitive_info when Credit:* is in the body field.

...| eval sensitive_info=match_wildcard(cast(body, "string"), "Credit*");

replace(X,Y,Z)

This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

Function Input
input: string
pattern: regular expression pattern
rep: string
Function Output
string

1. SPL2 example

Returns the "body" field with phone numbers redacted.

...| eval body=replace(cast(body, "string"), /[0-9]{3}[-.][0-9]{3}[-.][0-9]{4}/, "<redacted>");

2. SPL2 example

This example uses a capture group to format the replacement string. The result "foobar" is placed in a new top-level field called newfield.

... | eval newfield=replace("bar", /(bar)/, "foo$1");

rtrim

This function takes two arguments. The required argument is X, a string. This function also takes an optional argument Y, also a string. This function returns either X with whitespaces removed from the right side or X with the characters in Y trimmed from the right side.

Function Input
str: string
strip-chars (Optional): string
Function Output
string

1. SPL2 example

Returns " ZZZZabc".

... | eval n=rtrim(" ZZZZabcZZ", " Z");

2. SPL2 example

Returns " abc".

... | eval n= rtrim(" abc ");

spath

This function extracts a value from a map or collection. Use this function to extract a value from a nested map or collection. To extract a value from a JSON string, convert your JSON string to a map. See the from_json_object scalar function and the SPL2 example below.

For more information on the syntax of the path argument, see the path syntax in the Splunk Enterprise documentation.

The Data Stream Processor spath function does not have an auto-extract mode and does not accept JSON or XML strings.

Function Input
input: union<collection<any>, map<string,any>>
path: string
Function Output
union<string, bytes, boolean, integer, long, float, double, collection<any>, map<string,any>>

1. SPL2 example

Returns baz.

spath(from_json_object("{\"foo\": [{\"bar\": \"baz\"}]}"), "foo{0}.bar");

2. SPL2 example

Extracts forwarder_channel_id from attributes.

... | eval forwarder_channel_id_spath=spath(attributes, "spl_forwarder_channel_info.forwarder_channel_id");

substring

This function takes three arguments. The required arguments are X, a string, and Y, a numeric. This function also takes an optional argument Z, also a numeric. This function returns a substring of X, starting at the index specified by Y with the number of characters specified by Z.

Function Input
str: string
start: integer
length (optional): integer
Function Output
string

SPL2 example

Returns "foo".

...| eval n=substr("foobar", 1,3 );

trim

This function takes two arguments. The required argument is X, a string. This function also takes an optional argument Y, also a string. This function returns either X with whitespaces removed from both sides or X with the characters in Y trimmed from both sides.

Function Input
str: string
strip-chars (Optional): string
Function Output
string

1. SPL2 example

Returns abc.

...| eval n=trim(" ZZZZabcZZ ", " Z");

2. SPL2 example

Returns abc.

...| eval n=trim(" abc ");

upper(X)

Converts a string to uppercase.

Function Input
string
Function Output
string

SPL2 example

Returns USERNAME.

...| eval n=upper(username);

url_decode

Takes a URL string and returns the unescaped or decoded URL string.

Function Input
string
Function Output
string

SPL2 example

Returns http://www.splunk.com/download?r=header.

url_decode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader");

url_encode

Encodes a string for the query string parameters in a URL. Use this function when you want to include user-supplied string data in a URL.

Function Input
string
Function Output
string

SPL2 example

Filters records by Jane+A+Smith.

| where "Jane+A+Smith"=url_encode("Jane A Smith");
Last modified on 31 October, 2020
Mathematical   Overview of stats scalar functions

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters