Splunk® Data Stream Processor

Function Reference

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

SPL2 in DSP Primer

When using SPL2 to write your functions in Splunk Data Stream Processor, follow these best practices.

Accessing elements in a map or list with dot and bracket notation

DSP supports dot and bracket notation to access elements in a map or list. This allows you to easily reference elements in maps or lists, including elements found in nested maps and lists, without having to use the map scalar functions. Use dot notation to access elements in maps and bracket notation to access elements in lists. You can also use a combination of the two.

Consider the following example using the map {"zoo": {"mammals": ["elephant", "tiger", "lion"]}}. In this example, you want to extract the value tiger. This can be achieved by using the map scalar functions:

...| eval z = {"zoo": {"mammals": ["elephant", "tiger", "lion"]}},
zoo=map_get(z, "zoo"), mammals=map_get(zoo, "mammals"),
tiger=mvindex(mammals, 1);

Access an element in a map using dot notation

Using dot notation, an element is accessed by providing the name of the map, followed by a period (or dot), and then followed by the element name. For example:

... | eval z = {"zoo": {"mammals" : "tiger"}},
animal_tiger = z.zoo.mammals;

Access an element in a list using bracket notation

Using bracket notation, an element is accessed by providing the name of the list, followed by a set of square brackets [ ] containing the element position. The first element in a list begins at position-0. For example:

...| eval mammals = ["elephant", "tiger", "lion"],
animal_tiger = mammals[1];

Accessing an element in a nested list using a combination of dot and bracket notation

You can use a combination of dot and bracket notation in order to retrieve nested elements. We can now replicate the results of the first example by using a combination of dot and bracket notation.

...| eval z = {"zoo": {"mammals": ["elephant", "tiger", "lion"]}},
tiger = z.zoo.mammals[1];

Named arguments

SPL2 supports named arguments for sink functions, source functions, and scalar functions. Instead of having to list all arguments you want to declare in a certain order, you can specify the arguments in any order by using this syntax: argument_name: argument_value. This syntax works for both optional and required arguments.

Here are some examples of the named arguments syntax.

The following examples show that you can list the arguments in any order to create a valid SPL2 expression as long as you specify the names of the arguments.

… | into foo(limit: 5, field: my_list)
… | into foo(field: my_list, limit: 5)

The following examples show that you can still have a valid SPL2 expression without providing the full list of arguments as long as you specify the names of the arguments you want to declare. All unprovided arguments use their default values.

… | into foo(limit: 5)
… | into foo(field: my_list)

If you want to use a mix of unnamed and named arguments in your functions, you need to list all unnamed arguments in the correct order before providing the named arguments.

Keywords

Many functions use keywords with some of the arguments or options. Examples of keywords include:

  • AS
  • BY

You can specify these keywords in uppercase or lowercase in your search. However, for readability, the syntax in the Splunk documentation uses uppercase on all keywords.

Fields and wildcard fields

When the syntax contains <field> you specify a field name from your events.

Consider this syntax:

bin [<bin-options>...] <field> [AS <newfield>]

The <field> argument is required. You can rename the field in the function output by using the [AS <newfield>] argument. This argument is optional.

For example, if the field is categoryId and you want the field to be named CategoryID in the output, you would specify:

categoryId AS CategoryID
Last modified on 06 November, 2020
PREVIOUS
How to use the Function Reference
  NEXT
Adaptive Thresholding

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters