On April 3, 2023, Splunk Data Stream Processor reached its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
All DSP releases prior to DSP 1.4.0 use Gravity, a Kubernetes orchestrator, which has been announced end-of-life. We have replaced Gravity with an alternative component in DSP 1.4.0. Therefore, we will no longer provide support for versions of DSP prior to DSP 1.4.0 after July 1, 2023. We advise all of our customers to upgrade to DSP 1.4.0 in order to continue to receive full product support from Splunk.
All DSP releases prior to DSP 1.4.0 use Gravity, a Kubernetes orchestrator, which has been announced end-of-life. We have replaced Gravity with an alternative component in DSP 1.4.0. Therefore, we will no longer provide support for versions of DSP prior to DSP 1.4.0 after July 1, 2023. We advise all of our customers to upgrade to DSP 1.4.0 in order to continue to receive full product support from Splunk.
Break Events
This topic describes how to use the function in the .
Description
The Break Events function breaks grouped events into multiple events using a valid regular expression as the delimiter.
Function Input/Output Schema
- Function Input
- collection<record<R>>
- This function takes in collections of records with schema R.
- Function Output
- collection<record<R>>
- This function outputs collections of records with schema R.
Syntax
The required fields are in bold font.
- break_events
- content=<field>
- delimiter=<regular-expression>
- [output=<newfield>]
Required arguments
- content
- Syntax: <field>
- Description: The field whose values will be broken into single events.
- delimiter
- Syntax: <regular-expression>
- Description: A Java regular expression delimiter used to break events.
Optional arguments
- output
- Syntax: <string>
- Description: The name of the output field in the new event.
- Default: body
Example
Examples of common use cases follow. These examples assume that you have added the function to your pipeline.
1. SPL2 Example: Break events using a new line as a delimiter.
This example assumes that you are in the SPL View.
...| break_events content=host delimiter= /\n/ output=new_field|...;
2. SPL2 Example: Break body into multiple events using a new line as a delimiter.
This example assumes that you are in the SPL View.
... | break_events output=new_field content=cast(body, "string") delimiter=/\n/ |...;
3. SPL2 Example: Break body into multiple events using a comma as a delimiter.
This example assumes that you are in the SPL View.
... | break_events content=cast(body, "string") delimiter=/,/ |...;
Last modified on 09 February, 2022
| Bin | Eval |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5
Download manual
Feedback submitted, thanks!