Splunk® Data Stream Processor

Function Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Conversion

The following scalar functions convert a value of a given data type into another data type.

base64_decode(value)

Converts a Base64-encoded string to bytes. It returns null if the value is null or if the conversion fails.

Function Input
value: string
Function Output
bytes

SPL2 examples

...| eval value_decoded= base64_decode(to_string(value)); 

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| eval value_decoded= base64_decode(value: to_string(value)); 

base64_encode(value)

Converts a byte array value to a Base64-encoded string. It returns null if the value is null or if the conversion fails.

Function Input
value: bytes
Function Output
string

1. SPL2 example

...| where body=base64_encode(to_bytes("foo"));

2. SPL2 example

Extracts the value in RecordNumber, hashes the value, and returns the value in new field HashedRecordNumber as hashed_record_number=<hashedRecordNumber>

...| eval hashedrecordnumber=concat("hashed_record_number=", base64_encode(md5(to_bytes(RecordNumber))));

3. SPL2 example

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| where body=base64_encode(value: to_bytes("foo"));

cast

For documentation on the cast function, see cast.

deserialize_json_object(value)

Converts a JSON byte string into a map.

Function Input
value: bytes
Function Output
map<string, any>

SPL2 examples

Deserializes the field value.

| from kafka("kafka-conn-id-1", "kafka_dsp_topic-1") | eval json=deserialize_json_object(value);

Alternatively, you can use named arguments. See SPL2 syntax for more details.

| from kafka("kafka-conn-id-1", "kafka_dsp_topic-1") | eval json=deserialize_json_object(value: value);


from_json_array(value)

Converts a JSON string into an array of the JSON structure, including nested keys.

Function Input
value: JSON character string
Function Output
collection<any>

SPL2 examples

Returns foo.

...| eval n=spath(from_json_array("[\"foo\", \"bar\", \"baz\"]"), "{0}");

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| eval n=spath(from_json_array(value: "[\"foo\", \"bar\", \"baz\"]"), "{0}");


from_json_object(value)

Converts a JSON string into a map of the JSON structure, including nested keys.

Function Input
value: JSON character string
Function Output
map<string, any>

SPL2 examples

Returns {"foo":"bar"} in field jsonmap.

... | eval jsonmap=from_json_object("{\"foo\": \"bar\"}");

Alternatively, you can use named arguments. See SPL2 syntax for more details.

... | eval jsonmap=from_json_object(value: "{\"foo\": \"bar\"}");

gunzip(value)

Decompresses a GZipped byte array. It returns null if the byte array is null or the gunzip fails.

Function Input
value: bytes
Function Output
bytes

SPL2 examples

Decompresses the json-body field.

... | eval n = gunzip(json-body);

Alternatively, you can use named arguments. See SPL2 syntax for more details.

... | eval n = gunzip(value: json-body);

gzip(value)

Returns Gzipped-compressed bytes. It returns null if the Byte array is null or the zip fails.

Function Input
value: bytes
Function Output
bytes (containing gzipped bytes)

SPL2 examples

Gzips the field json-body.

...| eval n = gzip(json-body);

Alternatively, you can use named arguments. See SPL2 syntax for more details.

... | eval n = gzip(value: json-body);

inet_aton(ip)

Converts a string IPv4 or IPv6 IP address and returns the address as type Long. Because IPv6 IP addresses are 128-bits, the return value is the lower 64-bits stored as type Long.

Function Input
ip: string
Function Output
long

SPL2 examples

Returns 2130706433L.

...|eval ip = inet_aton("127.0.0.1");

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...|eval ip = inet_aton(ip: "127.0.0.1");


inet_ntoa(ip)

Converts a decimal IP address to dotted-decimal form.

Function Input
ip: long
Function Output
string

SPL2 examples

Returns 127.0.0.1.

...| eval ip= inet_ntoa(2130706433L);

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| eval ip= inet_ntoa(ip: 2130706433L);


parse_bool(value)

Parses a string as a boolean. Returns TRUE when the string is case-insensitive equal to "true". Returns FALSE when the string is case-insensitive equal to "false". Returns null on failure.

Function Input
value: string
Function Output
boolean

SPL2 examples

Returns true.

...| eval n=parse_bool("True");

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| eval n=parse_bool(value: "True");


parse_double(value)

Parses a string and returns the numeric value as a Double. Returns null if the value is null or is not a valid Double.

Function Input
value: string
Function Output
double

SPL2 examples

Returns 1.5 as type double.

...| eval n=parse_double("1.5");

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| eval n=parse_double(value: "1.5");

parse_float(value)

Parses a string and returns the numeric value as a Float. Returns null if the value is null or is not a valid Float.

Function Input
value: string
Function Output
float

SPL2 examples

Returns 3.1415 as a float.

...| eval n=parse_float("3.1415");

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| eval n=parse_float(value: "3.1415");

parse_int(value)

Parses a string as an integer. Returns null if the value is null or is not a valid integer.

Function Input
value: string
Function Output
int

SPL2 examples

Extracts HTTP-STATUS from body, parses the HTTP-STATUS string as an int, and returns the value in http_code.

...| eval http_code=parse_int(map_get(extract_regex(cast(body, "string"), /HTTP-STATUS=(\d+)/), "1"));

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| eval http_code=parse_int(value: map_get(extract_regex(cast(body, "string"), /HTTP-STATUS=(\d+)/), "1"));


parse_long(value)

Parses a string and returns the numeric value as Long. Returns null if the value is null or is not a valid Long.

Function Input
value: string
Function Output
long

SPL2 examples

Returns 45 as a long.

...| eval n=parse_long("45");

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| eval n=parse_long(value: "45");

serialize_json()

Serializes records into a JSON byte string.

Function Input
null
Function Output
bytes

SPL2 example

Serializes records into bytes, and puts the resulting JSON byte string into body.

...| select serialize_json() AS body; 

serialize_json_collection(collection)

Converts a map of JSON structure into a JSON byte array.

Function Input
collection: collection<any>
Function Output
bytes

SPL2 examples

Serializes the map in attributes to bytes.

... | eval attributes={"data": serialize_json_collection(["source", source, "source_type", source_type, "body", body])};

Alternatively, you can use named arguments. See SPL2 syntax for more details.

... | eval attributes={"data": serialize_json_collection(collection: ["source", source, "source_type", source_type, "body", body])};


to_bytes(value)

Converts a string to a byte string. You can optionally set a character encoding.

Function Input
value: string
encoding (Optional): string
Function Output
bytes

1. SPL2 example

The following example converts the values for the foo field to bytes.

...| eval n=to_bytes(foo)

2. SPL2 example

The following example converts "somestring" into bytes with UTF-8 encoding.

...| eval n=to_bytes("somestring", "UTF-8");

3. SPL2 example

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| eval n=to_bytes(value: foo)

to_json(map)

Converts a map of a JSON object's structure to a JSON string.

Function Input
map: map<string, any>
Function Output
string

SPL2 examples

Returns {"foo":"bar"} in a new top-level field called json.

... | eval json=to_json({"foo": "bar"});

Alternatively, you can use named arguments. See SPL2 syntax for more details.

... | eval json=to_json(map: {"foo": "bar"});

to_string(value)

Converts a byte array value to a UTF-8 encoded string. It returns null if the value is null or the conversion fails.

Function Input
value: bytes
Function Output
string

SPL2 examples

Outputs a single field, stringified, containing the string value of attributes.

...| select to_string(get(map_get(attributes, "key"), "bytes")) AS stringified;

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| select to_string(value: get(map_get(attributes, "key"), "bytes")) AS stringified;

tostring(value, fomat)

Converts the input value to a string. If the input type is a number, it reformats it according to the format string. If the input value is a Boolean value, it returns the corresponding string value, "True" or "False".

Function Input
value: number
(Optional) format: string
Function Output
string

The tostring function supports an optional second argument of one of the following options: "hex", "commas", or "duration".

Examples Description
tostring(X,"hex") Converts X to hexadecimal.
tostring(X,"commas") Formats X with commas. If the number includes decimals, the function rounds to nearest two decimal places.
tostring(X,"duration") Converts seconds X to the readable time format HH:MM:SS.

1. SPL2 example

Returns "1000".

... | eval n=tostring(1000);

2. SPL2 example

Returns "0xF".

... | eval n= tostring(15, "hex");

3. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order. See SPL2 syntax for more details.

... | eval n= tostring(format: "hex", value: 15);

ucast

For documentation on the ucast function, see ucast.

Last modified on 10 November, 2020
PREVIOUS
Conditional
  NEXT
Cryptographic

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters