Splunk® Data Stream Processor

Function Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

SPL2 in the Splunk Data Stream Processor Primer

When using SPL2 to write your functions in Splunk Data Stream Processor, follow these best practices. For more information on writing SPL2, see the SPL2 Search Manual.

Accessing elements in a map or list with dot and bracket notation

The Splunk Data Stream Processor supports dot and bracket notation to access elements in a map or list. This allows you to easily reference elements in maps or lists, including elements found in nested maps and lists, without having to use the map scalar functions. Use dot notation to access elements in maps and bracket notation to access elements in lists. You can also use a combination of the two.

Consider the following example using the map {"zoo": {"mammals": ["elephant", "tiger", "lion"]}}. In this example, you want to extract the value tiger. This can be achieved by using the map scalar functions:

...| eval z = {"zoo": {"mammals": ["elephant", "tiger", "lion"]}},
zoo=map_get(z, "zoo"), mammals=map_get(zoo, "mammals"),
tiger=mvindex(mammals, 1);

However, an easier way to access and extract tiger is by using dot and bracket notation. See the sections below for an example.

Currently, dot and bracket notation can only be used to access elements in maps or lists. You cannot use dot and bracket notation to assign values to elements. For example, ... | eval x.a = 2; results in an error. If you want to assign values to elements, use the map_set function instead.

Access an element in a map using dot notation

Using dot notation, an element is accessed by providing the name of the map, followed by a period (or dot), and then followed by the element name. For example:

... | eval z = {"zoo": {"mammals" : "tiger"}},
animal_tiger = z.zoo.mammals;

Access an element in a list using bracket notation

Using bracket notation, an element is accessed by providing the name of the list, followed by a set of square brackets [ ] containing the element position. The first element in a list begins at position-0. For example:

...| eval mammals = ["elephant", "tiger", "lion"],
animal_tiger = mammals[1];

Accessing an element in a nested list using a combination of dot and bracket notation

You can use a combination of dot and bracket notation in order to retrieve nested elements. We can now replicate the results of the first example by using a combination of dot and bracket notation.

...| eval z = {"zoo": {"mammals": ["elephant", "tiger", "lion"]}},
tiger = z.zoo.mammals[1];

Named arguments

SPL2 supports named arguments for sink functions, source functions, and scalar functions. Instead of having to list all arguments you want to declare in a certain order, you can specify the arguments in any order by using this syntax: argument_name: argument_value. This syntax works for both optional and required arguments.

Here are some examples of the named arguments syntax.

The following examples show that you can list the arguments in any order to create a valid SPL2 expression as long as you specify the names of the arguments.

… | into foo(limit: 5, field: my_list)
… | into foo(field: my_list, limit: 5)

The following examples show that you can still have a valid SPL2 expression without providing the full list of arguments as long as you specify the names of the arguments you want to declare. All unprovided arguments use their default values.

… | into foo(limit: 5)
… | into foo(field: my_list)

If you want to use a mix of unnamed and named arguments in your functions, you need to list all unnamed arguments in the correct order before providing the named arguments.

Keywords

Many functions use keywords with some of the arguments or options. Examples of keywords include:

  • AS
  • BY

You can specify these keywords in uppercase or lowercase in your search. However, for readability, the syntax in the Splunk documentation uses uppercase on all keywords.

Fields and wildcard fields

When the syntax contains <field> you specify a field name from your events.

Consider this syntax:

bin [<bin-options>...] <field> [AS <newfield>]

The <field> argument is required. You can rename the field in the function output by using the [AS <newfield>] argument. This argument is optional.

For example, if the field is categoryId and you want the field to be named CategoryID in the output, you would specify:

categoryId AS CategoryID
Last modified on 19 January, 2021
PREVIOUS
How to use the Function Reference
  NEXT
Adaptive Thresholding (beta)

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters