Splunk® Cloud Services

SPL2 Search Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Dataset literals

A dataset literal is a dataset that you type into your search criteria, instead of specifying a dataset name. You can use a dataset literal anywhere you can specify a dataset name.

A dataset literal consists of an array of objects. Each object represents a row, typically an event or metric, in the dataset. Each property of that object represents a field and value.

Dataset literals are often used to test search syntax. They are also used in Splunk SPL2 documentation to illustrate examples.

Format of dataset literals

A dataset literal uses a format similar to a JSON array, with the exception of field names. The following list explains the format requirements for dataset literals:

  • Enclose dataset literals in square brackets ( [ ] ).
  • Enclose each object in the array in curly brackets ( { } ).
  • Separate each object with a comma, except for the last object.
  • In a list of field-value pairs, separate each field-value pair with a comma.
  • For each field-value pair, separate the field from the value with a colon.
  • If a field name contain characters other than a-z, A-Z, 0-9, or the underscore ( _ ) character, enclose the field name in single quotation marks.
  • If a field values is a string, enclose the value in double quotation marks.

Here's an example:

[	
   { name: "Tower Bridge", length: 801, 'city and country': "London, England" },
   { name: "Rialto Bridge", length: 157, 'city and country': "Venice, Italy" },
   { name: "Golden Gate Bridge", length: 8981, 'city and country': "San Francisco, 
     United States" }
] 

Because the city and country field name contains spaces, the name is enclosed in single quotation marks.

For compatibility with JSON, field names in double quotation marks are accepted.

Empty dataset literals

You can specify an empty dataset literal using the from command to create an event. The event has only one field, _time, which contains a timestamp marking the time you created the event.

For example:

| FROM [{}]

You can also use the repeat dataset function to create events. See repeat dataset function in the SPL2 Search Reference.

Using dataset literals

Consider the following array:

[	
   { state: "Washington", abbreviation: "WA", population: 7535591 }, 
   { state: "California", abbreviation: "CA", population: 39557045 }, 
   { state: "Oregon", abbreviation: "OR", population: 4190714 }
] 

This array is the literal representation of these three rows of data:

state abbreviation population
Washington WA 7,535,591
California CA 39,557,045
Oregon OR 4,190,713

You can use this dataset literal in generating commands, such as from and union.

Here's an example of using this dataset literal with the from command:

FROM [ { state: "Washington", abbreviation: "WA", population: 7535591 }, { state: "California", abbreviation: "CA", population: 39557045 }, { state: "Oregon", abbreviation: "OR", population: 4190714 } ] WHERE population > 5000000 SELECT state

This search returns these results:

state
Washington
California

Here's another example of using a dataset literal with the union command.

Suppose you want to merge events from several datasets, customers and orders. You also want to merge in information about vendors, which is not in a dataset. You can use a dataset literal for the vendor information. For example:

union customers, orders, [ { vendor: "Seals Gaming", city: "San Francisco", vendorID: 4120 }, { vendor: "Flyin Hawaiian Hobbyist", city: "Honolulu", vendorID: 1193 }, { vendor: "Mile High Games", city: "Denver", vendorID: 3115 }, { vendor: "Games of Portlandia", city: "Portland", vendorID: 1027 }, { vendor: "Capone Games", city: "Chicago", vendorID: 1159 } ]

The events from all three datasets, the two permanent datasets and the temporary dataset literal, are merged.

Sample dataset literals

The following dataset literals are used in the examples in the SPL2 manuals. You can copy and paste these dataset literals into a search to experiment with SPL2 commands.

Hourly visitors

[{hour: 0800, visitors: 0}, {hour: 0900, visitors: 212}, {hour: 1000, visitors: 367}, {hour: 1100, visitors: 489}, {hour: 1200, visitors: 624}, {hour: 1300, visitors: 609}, {hour: 1400, visitors: 492}, {hour: 1500, visitors: 513}, {hour: 1600, visitors: 367}, {hour: 1700, visitors: 337}]

Daily temperatures

[{day: "sun", temp: 65}, {day: "mon", temp: 42}, {day: "tue", temp: 40}, {day: "wed", temp: 31}, {day: "thu", temp: 47}, {day: "fri", temp: 53}, {day: "sat", temp: 64}]

Board games

This dataset literal contains a set of cooperative and competitive board games, with key-value pairs for game type and name.

[{type: "cooperative", "name": "Forbidden Island"}, {type: "cooperative", "name": "Pandemic"}, {type: "cooperative", "name": "Sherlock Holmes: Consulting Detective"}, {type: "competitive", "name": "Settlers of Catan"}, {type: "competitive", "name": "Terraforming Mars"}, {type: "competitive", "name": "Ticket to Ride"}]

Empty events

You can create a set of events that have only a timestamp by using a dataset literal or using the repeat dataset function.

The dataset literal to create 10 events is:

[{},{},{},{},{},{},{},{},{},{}]

See repeat dataset function in the SPL2 Search Reference.

Names, ages, and cities

This dataset literal contains a set of objects with key-value pairs with the name, age, and city for a group of fictitious people.

[{"name": "Alex Martin", "age":25, "city": "San Francisco"}, {"name": "Wei Zhang", "age": 39, "city": "Seattle"}, {"name": "David Mayer", "age":31, "city": "Berlin"}, {"name": "Maria Dubois", "age":44, "city": "Paris"}, {"name": "Rutherford Sullivan", "age":57, "city": "Dublin"}, {"name": "Vanya Patel", "age": 47, "city": "Bangalore"}, {"name": "Claudia Garcia", "age":29, "city": "Austin"}]

Bridges by city

This dataset literal contains a nested set of values, first by city and then by bridge information.

[{"name":"London","Bridges":[{"name":"Tower Bridge","length":801},{"name":"Millennium Bridge","length":1066}]},{"name":"Venice","Bridges":[{"name":"Rialto Bridge","length":157},{"name":"Bridge of Sighs","length":36},{"name":"Ponte della Paglia"}]},{"name":"San Francisco","Bridges":[{"name":"Golden Gate Bridge","length":8981},{"name":"Bay Bridge","length":23556}]}]

Famous bridges by country

This dataset literal contains a nested set of arrays about some of the famous bridges around the world, organized by country.

[
{famous_bridges: [{name: "Forth Bridge", length: 8202, city: "South Queensferry"}, {name: "Gateshead Millennium Bridge", length: 413, city: "Gateshead"}, {name: "Clifton Suspension Bridge", length: 1352, city: "Bristol"}], country: "United Kingdom"},
{famous_bridges: [{name: "Rialto Bridge", length: 157, city: "Venice"}, {name: "Ponte Vecchio Bridge", length: 276, city: "Florence"}],
country: "Italy"},
{famous_bridges: [{name: "Helix Bridge", length: 918}], country: "Singapore"},
{famous_bridges: [{name: "Hangzhou Bay Bridge", length: 110880, city:"Jiaxing"}, {name: "Nanpu Bridge", length: 27381, city:"Shanghai"}],
country: "China"},
{famous_bridges: [{name: "Golden Gate Bridge", length: 8981, city:"San Francisco"}, {name: "Brooklyn Bridge", length: 6016, city:"New York City"}, {name: "Tilikum Crossing", length: 1700, city: "Portland"}], country: "United States"}
]

Product order information

This dataset literal contains a set of objects with key-value pairs with the timestamp, IP address, action, product ID, quantity, and price for a group of fictitious board games.

[{_time: "2021/01/20 12:00", clientip: "192.0.2.0", action: "purchase", pid: "DC-SG-G02", quantity: 1, price: 39.99},
{_time: "2021/01/20 11:58", clientip:"", action: "addtochart", pid: "MB-AG-G07", quantity: 3, price: 27.99},
{_time: "2021/01/20 11:58", clientip:"203.0.113.0", action: "purchase", pid: "WC-SH-A01", quantity: 1, price: 25.99},
{_time: "2021/01/20 11:56", clientip:"198.51.100.255", action: "changequantity", pid: "PZ-SG-G05", quantity: 2, price: 4.99},
{_time: "2021/01/20 11:51", clientip:"192.0.2.0", action: "purchase", pid: "SF-BVS-01", quantity: 1, price: 49.99},
{_time: "2021/01/20 11:47", clientip:"198.51.100.0", action: "purchase", pid: "SF-BVS-G01", quantity: 1, price: 26.99},
{_time: "2021/01/20 11:42", clientip:"192.0.2.0", action: "purchase", pid: "WC-SH-T02", quantity: 2, price: 19.99},
{_time: "2021/01/20 11:39", clientip:"198.51.100.0", action: "purchase", pid: "PZ-SG-G05", quantity: 1, price: 4.99}]

See also

Related information
Datasets
Functions
repeat dataset function
Last modified on 22 July, 2021
PREVIOUS
Built-in datasets
  NEXT
Dataset functions

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters