Splunk® Data Stream Processor

Function Reference

On April 3, 2023, Splunk Data Stream Processor reached its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.

All DSP releases prior to DSP 1.4.0 use Gravity, a Kubernetes orchestrator, which has been announced end-of-life. We have replaced Gravity with an alternative component in DSP 1.4.0. Therefore, we will no longer provide support for versions of DSP prior to DSP 1.4.0 after July 1, 2023. We advise all of our customers to upgrade to DSP 1.4.0 in order to continue to receive full product support from Splunk.

Iterator

The following scalar functions operate on an iterator. Use these functions to process or transform elements of a list.

filter(iterator, predicate)

Filters elements of the iterator based on the boolean expression predicate. You must use this function in conjunction with the iterator scalar function, as shown in the example.

Function Input
iterator: The function that defines the list to filter
predicate: expression<boolean>. If this returns true, the value is kept. If false, it is discarded.
Function Output
collection<T>
This function outputs a list of type T, where T is the element type of the iterator.

SPL2 example

If the incoming record has a field called list containing the values [1, 2, 3, 4], return a new list in results with the list [1, 2].

When working in the SPL View, you can write the function by using the following syntax. 

...| eval results=filter(iterator(list, "x"), cast(x, "integer")<3);

Alternatively, you can use named arguments to list the arguments in any order. 

...| eval results=filter(predicate: cast(x, "integer") < 3, iterator: iterator(list, "x"));

for_each(iterator, function)

For each element of iterator, evaluate expression function and return a new list containing the results. You must use this function in conjunction with the iterator scalar function, as shown in the example.

Function Input
iterator: The function that defines the list to transform.
function: The function to apply to each element in the iteration.
Function Output
collection<R>
This function outputs a list of type R, where R is the element type of the iterator or the data type associated with the mapper function.

1. SPL2 example

If the incoming record has a field called string_list containing the values ["a","b","c"], outputs a new list where each element of the list is prepended with foo_: ["foo_a", "foo_b", "foo_c"].

When working in the SPL View, you can write the function by using the following syntax. 

...| eval string_results=for_each(iterator(string_list, "x"), concat(["foo_", x]));

2. SPL2 example

If the input record has a field called list containing the values [1,2,3] and the list type is long, then the following example adds 100 to each value and puts the new list [101, 102, 103] in a new field called results.

When working in the SPL View, you can write the function by using the following syntax. 

... | eval results=for_each(iterator(list, "numval"), add(cast(100, "long"), cast(numval, "long")));

3. SPL2 example

This example adds two new key-value pairs type and unit to the metrics map. If the incoming records have a body containing a list of metric maps such as Record{"body"=[{"name"="abc", "value"=123}, {"name"="xyz", "value"=789}]} , then the following example adds type and unit to the metrics map Record{"body"=[{"name"="abc", "unit"="percent", "type"="g", "value"=123}, {"name"="xyz", "unit"="percent", "type"="g", "value"=789}]}.

When working in the SPL View, you can write the function by using the following syntax. 

...| eval body=for_each(iterator(map_list, "x"), map_set(x, ["type", "g", "unit", "percent"]));

4. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order. 

...| eval string_results=for_each(function: concat(["foo_", x]), iterator: iterator(string_list, "x"));

iterator(input, fieldname)

Iterates through a list input and temporarily assigns each element in list input as fieldname. You must use this function in combination with the for_each or filter scalar functions.

Function Input
input: collection<R>
fieldname: string
Function Output
list of any type T
Argument Input Description
input collection<R> A list of type T, where T is any type. For example, the input of this function can be a list of strings, list of numbers, list of maps, list of lists, or a list of mixed types.
fieldname string A temporary or local variable name for each element in the list. Use this variable name to refer to the elements of this list when using the for_each or filter iterator functions.

SPL2 example

Prepends "foo_" to each element of string_list.

When working in the SPL View, you can write the function by using the following syntax. 

...| eval string_results=for_each(iterator(string_list, "x"), concat(["foo_", x]));

Alternatively, you can use named arguments to list the arguments in any order. 

...| eval string_results=for_each(iterator(fieldname: "x", input: string_list), concat(["foo_", x]));
Last modified on 21 April, 2021
Date and Time   List

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters