Splunk® Data Stream Processor

Function Reference

DSP 1.2.1 is impacted by the CVE-2021-44228 and CVE-2021-45046 security vulnerabilities from Apache Log4j. To fix these vulnerabilities, you must upgrade to DSP 1.2.4. See Upgrade the Splunk Data Stream Processor to 1.2.4 for upgrade instructions.

On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.

Break Events

This topic describes how to use the function in the .

Description

The Break Events function breaks grouped events into multiple events using a valid regular expression as the delimiter.

Function Input/Output Schema

Function Input
collection<record<R>>
This function takes in collections of records with schema R.
Function Output
collection<record<R>>
This function outputs collections of records with schema R.

Syntax

The required fields are in bold font.

break_events
content=<field>
delimiter=<regular-expression>
[output=<newfield>]

Required arguments

content
Syntax: <field>
Description: The field whose values will be broken into single events.
delimiter
Syntax: <regular-expression>
Description: A Java regular expression delimiter used to break events.

Optional arguments

output
Syntax: <string>
Description: The name of the output field in the new event.
Default: body

Example

Examples of common use cases follow. These examples assume that you have added the function to your pipeline.

1. SPL2 Example: Break events using a new line as a delimiter.

This example assumes that you are in the SPL View. 

...| break_events content=host delimiter= /\n/ output=new_field|...;

2. SPL2 Example: Break body into multiple events using a new line as a delimiter.

This example assumes that you are in the SPL View. 

... | break_events output=new_field content=cast(body, "string") delimiter=/\n/ |...;

3. SPL2 Example: Break body into multiple events using a comma as a delimiter.

This example assumes that you are in the SPL View. 

... | break_events content=cast(body, "string") delimiter=/,/ |...;
Last modified on 09 February, 2022
Bin   Datagen (beta)

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters