All DSP releases prior to DSP 1.4.0 use Gravity, a Kubernetes orchestrator, which has been announced end-of-life. We have replaced Gravity with an alternative component in DSP 1.4.0. Therefore, we will no longer provide support for versions of DSP prior to DSP 1.4.0 after July 1, 2023. We advise all of our customers to upgrade to DSP 1.4.0 before July 1, 2023 in order to continue to receive full product support from Splunk.
Overview of evaluation scalar functions
Use evaluation scalar functions to evaluate an expression based on your records and return a result.
Functions that use evaluation scalar functions
You can use evaluation scalar functions with the Eval, Where, and Select streaming functions. See the following pages for more information, including examples of how evaluation scalar functions are used with these streaming functions:
You can also use evaluation scalar functions with any function that has an argument that accepts expressions. For example, the Send to Splunk HTTP Event Collector sink function has an
index argument that accepts
expression<string> values. When configuring this
index argument, you can specify an expression that uses evaluation scalar functions to resolve to a string value. For example, you can specify the following expression, which uses the map_get function to extract an index value from a map called
attributes, and then uses the cast function to cast the extracted value to the string data type:
cast(map_get(attributes, "index"), "string")
Using evaluation scalar functions
- All functions that accept strings can accept either a literal string or any field.
- All functions that accept numbers can accept either literal numbers or any numeric field.
Specifying literal strings
For most evaluation scalar functions, when a string argument is expected you can specify either a literal string or a field. The literal string must be enclosed in double quotation marks. For example, if you have a field called
name which contains the names of your servers, and you want to append the literal string
server at the end of the name. You would specify this:
name + "server".
You can specify a function as an argument to another function.
In the following example, the
cidrmatch function is used as the first argument in the
... | eval isLocal=if(cidrmatch("18.104.22.168/25",ip), "local", "not local");
The following tables list the basic mathematical operations that you can use with the evaluation scalar functions. For these operations to work, the values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations might not produce valid results if the values are not numerical. When concatenating values, Splunk software reads the values as strings, regardless of the value.
||Addition||Accepts two numbers and produces a number.|
||Subtraction||Accepts two numbers and produces a number.|
||Multiplication||Accepts two numbers and produces a number.|
||Division||Accepts two numbers and produces a number.|
||Modulo||Accepts two numbers and produces a number.|
||Logical AND operator||Accepts two Boolean values and produces a Boolean.|
||Logical OR operator||Accepts two Boolean values and produces a Boolean.|
||Logical NOT operator||Accepts one Boolean value and produces the inverse of the value.|
||Exclusive OR operator||Accepts two Boolean values and produces a Boolean.|
||NULL operator||Accepts a value and returns TRUE if the field value is NULL.|
||NULL operator||Accepts a value and returns TRUE if the field value is not NULL.|
||Less than||Accepts two numbers and produces a Boolean.|
||Greater than||Accepts two numbers and produces a Boolean.|
||Less than or equal to||Accepts two numbers or two strings and produces a Boolean.|
||Greater than or equal to||Accepts two numbers and produces a Boolean.|
||Not equal to||Accepts two numbers or two strings and produces a Boolean.|
||Equal to||In expressions, the |
||Text pattern matching operator||Accepts two strings. For example |
For example, field
||Matching operator||Accepts a value and a list, and checks whether the value is in the list. The list can either be a list literal or a field containing a list. For example |
Send data to null
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2