Splunk® Data Stream Processor

Function Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

List

The following topic contains the functions that you can use on lists or to return lists.

mvdedup(input)

This function takes a list input and returns a list with its duplicate values removed.

Function Input
input: collection<T>
Function Output
collection<T> with duplicates removed

1. SPL2 example

Returns ["foo","bar","biz","baz"] in new field dedup_list.

... | eval dedup_list=mvdedup(["foo", "bar", "foo", "bar", "biz", "baz"]);

2. SPL2 example

Removes duplicates in a field containing a list.

... | eval n=mvdedup(mvfield);

3. SPL2 example

Alternatively, you can use named arguments. See SPL2 syntax for more details.

... | eval dedup_list=mvdedup(input: ["foo", "bar", "foo", "bar", "biz", "baz"]);

iterator(input, fieldname)

For documentation on the iterator function, see Iterator.

length(input)

Returns the character length of the provided input. The input can be a map, collection, bytes, or a string.

Function Input
type<any>
Function Output
integer

SPL2 examples

Returns 4.

...| eval n=length([1, 5, 3, 4]);

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| eval n=length(input: [1, 5, 3, 4]);

mvappend(input)

Takes an arbitrary list of arguments, where each argument is a single string or a list of strings, and returns all elements as a single flattened list.

Function Input
input: collection<any>
Function Output
string

SPL2 examples

Returns [\"lorem\",\"lorem\",\"ipsum\",\"dolor\",\"sit\",\"amet\",\"consectetuer\"] in a new field called newlist.

... | eval newlist = mvappend("lorem", "lorem", ["ipsum", "dolor"], ["sit", "amet"], "consectetuer");

Alternatively, you can use named arguments. See SPL2 syntax for more details.

... | eval newlist = mvappend(input: "lorem", input: "lorem", input: ["ipsum", "dolor"], input: ["sit", "amet"], input: "consectetuer");

mvindex(input, index)

Returns the element at the list at the index.

Function Input
input: collection<R>
This function accepts a collection of type R. R can be integers, strings, lists, etc.
index: integer
Function Output
R
This function outputs an element of the list.
Argument Input Description
input collection<R> A list of type R, where R is any type. For example, the input of this function can be a list of strings, list of numbers, list of maps, list of lists, or a list of mixed types.
index integer The index number of the element to get from the input list. Indexes start at zero. If you have 5 values in the list, the first value has an index of 0. The second values has an index of 1. Index numbers can be negative. -1 gets the last element in a list, -2 gets the second to last element in a list, and so on. If the index is out of range or does not exist, returns null.

1. SPL2 example

Returns "a".

...| eval n=mvindex(["a"], 0);

2. SPL2 example

Returns "a".

...| eval n=mvindex(["a"], -1);

3. SPL2 example

Returns "c".

| eval n=mvindex(["a", "b", "c"], 2);

4. SPL2 example

Returns "a".

...|eval n=mvindex(["a", "b", "c"], -3);

5. SPL2 example

Returns [3,4].

...| eval n=mvindex([[1,2], [3, 4]], 1);

6. SPL2 example

Returns null.

| eval n=mvindex(["a"], -2);

7. SPL2 example

In this example, if the incoming record contained a field called list with [[100, 101], [0, 1, 2]] , return a new list in results with value [101, 2].

...| eval results=for_each(iterator(list, "x"), mvindex(x, -1));

8. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order. See SPL2 syntax for more details.

...| eval n=mvindex(index: 0, input: ["a"]);

mvjoin(delimiter, values)

This function takes two arguments, a string delimiter delimiter and a list values. The function concatenates the individual values within values using the value of delimiter.

Function Input
delimiter: string
values: collection<string>
This function accepts a collection of lists, where the list is a string type.
Function Output
string

SPL2 examples

Returns foo OR bar OR baz.

...| eval n=mvjoin(" OR ", ["foo", "bar", "baz"]);

Alternatively, you can use named arguments to list the arguments in any order. See SPL2 syntax for more details.

...| eval n=mvjoin(values: ["foo", "bar", "baz"], delimiter: " OR ");

mvrange(start, end , step)

This function returns a list for a range of numbers. This function can contain up to three arguments: a starting number start, an ending number end (which is excluded from the field), and an optional step increment step, which defaults to 1. We support Splunk relative time strings as a valid step increment step. See the third SPL2 example for usage and time modifiers in the Splunk Search Reference for the full list of time modifiers.

Function Input
start: number
end: number
step: number
Function Output
collection<R>
This function outputs a collection of records of type R, where R is the same type as the function input or, when there are multiple numeric argument types, the highest of the types in the following hierarchy: Double > Float > Long > Integer.

1. SPL2 example

Returns the list [1, 2, 3, 4, 5, 6, 7, 8, 9, 10].

...| eval n = mvrange(1, 11);

2. SPL2 example

Returns the list [1, 3, 5, 7, 9].

...| eval n = mvrange(1, 11, 2);

3. SPL2 example

Returns the list [0L, 2000L, 4000L, 6000L, 8000L]. The elements of the returned list are type "Long" instead of "Integer", because the time modifier 2s is converted to a "Long" data type and "Long" is higher in the type priority: Double > Float > Long > Integer.

...| eval n=mvrange(0, 10000, "2s");

4. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order. See SPL2 syntax for more details.

...| eval n = mvrange(start: 1, step:2, end: 11);

mvsort(input)

This function takes a list input and returns list input with the values sorted lexicographically.

Function Input
input: collection<R>
This function accepts a collection R, where R must have a lexicographic ordering.
Function Output
collection<R>
This function outputs a collection of type R, where R is the same type as the function input.

Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.

  • Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 10, 9, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
  • Uppercase letters are sorted before lowercase letters.
  • Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.
  • Null values are sorted as the string "null".

SPL2 examples

Returns the list [1, 100, 11].

...| eval n=mvsort([1, 11, 100]);

Alternatively, you can use named arguments. See SPL2 syntax for more details.

...| eval n=mvsort(input: [1, 11, 100]);

split(str, delim)

This function takes two arguments, a string str and a delimiter delim to use for splitting the string. It splits the values of str on the value of delim, where delim is either a fixed string or a Java regular expression. Returns a list of strings.

Function Input
str: string to split
delim: Delimiter used to split the string. Can be either a Java regular expression or a fixed string.
Function Output
collection<string>

1. SPL2 example

This function takes the string argument "a, b, c" and splits the string on the delimiter ,. Returns ["a","b","c"].

... | eval n=split("a,b,c", ",");

2. SPL2 example

This function takes the string argument "one::two::three::" and splits the string on the delimiter ::. Returns ["one","two","three",""].

... | eval n=split("one::two::three::", "::");

3. SPL2 example

This function takes the string argument "a,b, c" and splits the string on the regular expression delimiter. Returns ["a","b","c"].

... | eval n=split("a,b, c", /,\s*/);

4. SPL2 example

This function takes the string argument "ambM c" and splits the string on the regular expression delimiter. Returns ["a", "b", "c"].

... | eval n=split("ambM c", /(?i)M\s*/);

5. SPL2 example

This function takes the string argument "a,b,c" and splits the string using an empty string delimiter. Returns ["a,b,c"] as a single entry list.

... | eval n=split("a,b,c", "");

6. SPL2 example

This function takes the string argument ",," and splits the string on the delimiter ,. Returns ["","",""].

... | eval n=split(",,", ",");

7. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order. See SPL2 syntax for more details.

... | eval n=split(delim: "," str: "a,b,c");
Last modified on 10 September, 2020
PREVIOUS
Iterator
  NEXT
Map

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters