Splunk® Data Stream Processor

Function Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Iterator

The following scalar functions operate on an iterator. Use these functions to process or transform elements of a list.

filter(iterator, predicate)

Filters elements of the iterator based on the boolean expression predicate. You must use this function in conjunction with the iterator scalar function, as shown in the example.

Function Input
iterator: The function that defines the list to filter
predicate: expression<boolean>. If this returns true, the value is kept. If false, it is discarded.
Function Output
collection<T>
This function outputs a list of type T, where T is the element type of the iterator.

SPL2 example

If the incoming record has a field called list containing the values [1, 2, 3, 4], return a new list in results with the list [1, 2].

...| eval results=filter(iterator(list, "x"), cast(x, "integer")<3);

Alternatively, you can use named arguments to list the arguments in any order. See SPL2 syntax for more details.

...| eval results=filter(predicate: cast(x, "integer") < 3, iterator: iterator(list, "x"));


for_each(iterator, function)

For each element of iterator, evaluate expression function and return a new list containing the results. You must use this function in conjunction with the iterator scalar function, as shown in the example.

Function Input
iterator: The function that defines the list to transform.
function: The function to apply to each element in the iteration.
Function Output
collection<R>
This function outputs a list of type R, where R is the element type of the iterator or the data type associated with the mapper function.

1. SPL2 example

If the incoming record has a field called string_list containing the values ["a","b","c"], outputs a new list where each element of the list is prepended with foo_: ["foo_a", "foo_b", "foo_c"].

...| eval string_results=for_each(iterator(string_list, "x"), concat(["foo_", x]));

2. SPL2 example

If the input record has a field called list containing the values [1,2,3] and the list type is long, then the following example adds 100 to each value and puts the new list [101, 102, 103] in a new field called results.

... | eval results=for_each(iterator(list, "numval"), add(cast(100, "long"), cast(numval, "long")));

3. SPL2 example

This example adds two new key-value pairs type and unit to the metrics map. If the incoming records have a body containing a list of metric maps such as Record{"body"=[{"name"="abc", "value"=123}, {"name"="xyz", "value"=789}]} , then the following example adds type and unit to the metrics map Record{"body"=[{"name"="abc", "unit"="percent", "type"="g", "value"=123}, {"name"="xyz", "unit"="percent", "type"="g", "value"=789}]}.

...| eval body=for_each(iterator(map_list, "x"), map_set(x, ["type", "g", "unit", "percent"]));


4. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order. See SPL2 syntax for more details.

...| eval string_results=for_each(function: concat(["foo_", x]), iterator: iterator(string_list, "x"));

iterator(input, fieldname)

Iterates through a list input and temporarily assigns each element in list input as fieldname. You must use this function in combination with the functions for_each and filter.

Using this function by itself throws a "Schema cannot assign an IteratorType to a field" error. This function must be used with an iterator scalar function, such as For_Each or Filter.

Function Input
input: collection<R>
fieldname: string
Function Output
list of any type T
Argument Input Description
input collection<R> A list of type T, where T is any type. For example, the input of this function can be a list of strings, list of numbers, list of maps, list of lists, or a list of mixed types.
fieldname string A temporary or local variable name for each element in the list. Use this variable name to refer to the elements of this list when using the Filter or For_Each iterator functions.

SPL2 example

Prepends "foo_" to each element of string_list.

...| eval string_results=for_each(iterator(string_list, "x"), concat(["foo_", x]));

Alternatively, you can use named arguments to list the arguments in any order. See SPL2 syntax for more details.

...| eval string_results=for_each(iterator(fieldname: "x", input: string_list), concat(["foo_", x]));
Last modified on 26 August, 2020
PREVIOUS
Date and Time
  NEXT
List

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters