Splunk® Cloud Services

SPL2 Search Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Dataset literals

A dataset literal is a dataset that you type into your search criteria, instead of specifying a dataset name. You can use a dataset literal anywhere you can specify a dataset name.

A dataset literal consists of an array of objects. Each object represents a row, typically an event or metric, in the dataset. Each property of that object represents a field and value.

The maximum length of a dataset literal is 30,000 characters.

Dataset literals are often used to test search syntax. They are also used in Splunk SPL2 documentation to illustrate examples.

Format of dataset literals

A dataset literal uses a format similar to a JSON array, with the exception of field names. The following list explains the format requirements for dataset literals:

  • Enclose dataset literals in square brackets ( [ ] ).
  • Enclose each object in the array in curly brackets ( { } ).
  • Separate each object with a comma, except for the last object.
  • In a list of field-value pairs, separate each field-value pair with a comma.
  • For each field-value pair, separate the field from the value with a colon.
  • If a field name contain characters other than a-z, A-Z, 0-9, or the underscore ( _ ) character, enclose the field name in single quotation marks.
  • If a field value is a string, enclose the value in double quotation marks.

Here's an example:

[	
   { name: "Tower Bridge", length: 801, 'city and country': "London, England" },
   { name: "Rialto Bridge", length: 157, 'city and country': "Venice, Italy" },
   { name: "Golden Gate Bridge", length: 8981, 'city and country': "San Francisco, 
     United States" }
] 

Because the city and country field name contains spaces, the name is enclosed in single quotation marks.

For compatibility with JSON, field names in double quotation marks are accepted.

Empty dataset literals

You can specify an empty dataset literal using the from command to create an event. The event has only one field, _time, which contains a timestamp marking the time you created the event.

For example:

$search = FROM [{}]

You can also use the repeat dataset function to create events. See repeat dataset function in the SPL2 Search Reference.

Using dataset literals

You can create dataset literals using generating commands, such as from and union. You can also specify a dataset literal with the eval command

Using dataset literals with the from command

You can use the from and eval commands to create dataset literals.

When you use a dataset literal with the from command, each object in an array becomes an event in the dataset:

$search = FROM [ { state: "Washington", abbreviation: "WA", population: 7535591 }, { state: "California", abbreviation: "CA", population: 39557045 }, { state: "Oregon", abbreviation: "OR", population: 4190714 } ]

This search returns these results:

state abbreviation population
Washington WA 7535591
California CA 39557045
Oregon OR 4190714

Using dataset literals with the eval command

When you use the eval command to create events, the entire array becomes a single event:

$search = from [{}] | eval states= [ { state: "Washington", abbreviation: "WA", population: 7535591 }, { state: "California", abbreviation: "CA", population: 39557045 }, { state: "Oregon", abbreviation: "OR", population: 4190714 } ]

This search returns these results:

states
[{"state":"Washington","abbreviation":"WA","population":7535591 },{"state":"California","abbreviation":"CA", "population":39557045 },{"state":"Oregon","abbreviation":"OR","population":4190714}]

Using dataset literals with the union command

Suppose you want to merge events from several datasets, customers and orders. You also want to merge in information about vendors, which is not in a dataset. You can use a dataset literal for the vendor information. Here's an example of using a dataset literal with the union command:

$search = union customers, orders, [ { vendor: "Seals Gaming", city: "San Francisco", vendorID: 4120 }, { vendor: "Flyin Hawaiian Hobbyist", city: "Honolulu", vendorID: 1193 }, { vendor: "Mile High Games", city: "Denver", vendorID: 3115 }, { vendor: "Games of Portlandia", city: "Portland", vendorID: 1027 }, { vendor: "Capone Games", city: "Chicago", vendorID: 1159 } ]

The events from all three datasets, the two permanent datasets and the temporary dataset literal, are merged.


You can also create a JSON array or object literal in a field. See Creating array and object literals with the eval command.

Sample dataset literals

The following dataset literals are used in the examples in the SPL2 manuals. You can copy and paste these dataset literals into a search to experiment with SPL2 commands.

Product order information

This dataset literal contains a set of objects with key-value pairs with the timestamp, IP address, action, product ID, quantity, and price for a group of fictitious board games.

$events = from
[{_time: "2022/01/20 12:00", clientip: "192.0.2.0", action: "purchase", pid: "DC-SG-G02", quantity: 1, price: 39.99},
{_time: "2022/01/20 11:58", clientip:"", action: "addtochart", pid: "MB-AG-G07", quantity: 3, price: 27.99},
{_time: "2022/01/20 11:58", clientip:"203.0.113.0", action: "purchase", pid: "WC-SH-A01", quantity: 1, price: 25.99},
{_time: "202201/20 11:56", clientip:"198.51.100.255", action: "changequantity", pid: "PZ-SG-G05", quantity: 2, price: 4.99},
{_time: "2022/01/20 11:51", clientip:"192.0.2.0", action: "purchase", pid: "SF-BVS-01", quantity: 1, price: 49.99},
{_time: "2022/01/20 11:47", clientip:"198.51.100.0", action: "purchase", pid: "SF-BVS-G01", quantity: 1, price: 26.99},
{_time: "2022/01/20 11:42", clientip:"192.0.2.0", action: "purchase", pid: "WC-SH-T02", quantity: 2, price: 19.99},
{_time: "2022/01/20 11:39", clientip:"198.51.100.0", action: "purchase", pid: "PZ-SG-G05", quantity: 1, price: 4.99}]

Log in events

This dataset literal contains a set of failed login events.

$events = from 
[{_raw: "Wed Feb 14 2023 23:16:57 mailsv1 sshd[4590]: Failed password for apache from 78.111.167.117 port 3801 ssh2"},		
{_raw: "Wed Feb 14 2023 15:51:38 mailsv1 sshd[1991]: Failed password for grumpy from 76.169.7.252 port 1244 ssh2"},							
{_raw: "Mon Feb 12 2023 09:31:03 mailsv1 sshd[5800]: Failed password for invalid user noone from 66.69.195.226 port 2903 ssh2"},	
{_raw: "Sun Feb 11 2023 14:12:56 mailsv1 sshd[1565]: Failed password for invalid user noone from 187.231.45.62 port 1092 ssh2},	
{_raw: "Sun Feb 11 2023 07:09:29 mailsv1 sshd[3560]: Failed password for games from 187.231.45.62 port 3752 ssh2"},	
{_raw: "Sat Feb 10 2023 03:25:43 mailsv1 sshd[2442]: Failed password for invalid user admin from 211.166.11.101 port 1797 ssh2"},	
{_raw: "Fri Feb 09 2023 21:45:20 mailsv1 sshd[1689]: Failed password for invalid user guest from 222.41.213.238 port 2658 ssh2"},	
{_raw: "Fri Feb 09 2023 06:27:34 mailsv1 sshd[2226]: Failed password for invalid user noone from 199.15.234.66 port 3366 ssh2"},		
{_raw: "Fri Feb 09 2023 18:32:51 mailsv1 sshd[5710]: Failed password for agarcia from 209.160.24.63 port 1775 ssh2"},		
{_raw: "Thu Feb 08 2023 08:42:11 mailsv1 sshd[3202]: Failed password for invalid user noone from 175.44.1.172 port 2394 ssh2"}]

Hourly visitors

This dataset literal contains information about the number of visitors for each hour between 8 AM and 5 PM.

$visitors = from
[{hour: 0800, visitors: 0}, {hour: 0900, visitors: 212}, {hour: 1000, visitors: 367}, {hour: 1100, visitors: 489}, {hour: 1200, visitors: 624}, {hour: 1300, visitors: 609}, {hour: 1400, visitors: 492}, {hour: 1500, visitors: 513}, {hour: 1600, visitors: 367}, {hour: 1700, visitors: 337}]

Daily temperatures

This dataset literal contains temperatures for each day of the week.

$temperatures = from
[{day: "sun", temp: 65}, {day: "mon", temp: 42}, {day: "tue", temp: 40}, {day: "wed", temp: 31}, {day: "thu", temp: 47}, {day: "fri", temp: 53}, {day: "sat", temp: 64}]

Board games

This dataset literal contains a set of cooperative and competitive board games, with key-value pairs for game type and name.

$games = from
[{type: "cooperative", "name": "Forbidden Island"}, {type: "cooperative", "name": "Pandemic"}, {type: "cooperative", "name": "Sherlock Holmes: Consulting Detective"}, {type: "competitive", "name": "Settlers of Catan"}, {type: "competitive", "name": "Terraforming Mars"}, {type: "competitive", "name": "Ticket to Ride"}]

Empty events

You can create a set of events that have only a timestamp by using a dataset literal or using the repeat dataset function.

The dataset literal to create 10 events is:

$events = from
[{},{},{},{},{},{},{},{},{},{}]

See repeat dataset function in the SPL2 Search Reference.

Names, ages, and cities

This dataset literal contains a set of objects with key-value pairs with the name, age, and city for a group of fictitious people.

$people = from
[{"name": "Alex Martin", "age":25, "city": "San Francisco"}, {"name": "Wei Zhang", "age": 39, "city": "Seattle"}, {"name": "David Mayer", "age":31, "city": "Berlin"}, {"name": "Maria Dubois", "age":44, "city": "Paris"}, {"name": "Rutherford Sullivan", "age":57, "city": "Dublin"}, {"name": "Vanya Patel", "age": 47, "city": "Bangalore"}, {"name": "Claudia Garcia", "age":29, "city": "Austin"}]

Bridges by city

This dataset literal contains a nested set of values, first by city and then by bridge information.

$city_bridges = from
[{"cities": [{"name": "London","Bridges": [{ "name": "Tower Bridge", "length": 801 }, { "name": "Millennium Bridge", "length": 1066 }] }, {"name": "Venice", "Bridges": [{ "name": "Rialto Bridge", "length": 157 }, { "name": "Bridge of Sighs", "length": 36 }, { "name": "Ponte della Paglia" }] }, {"name": "San Francisco","Bridges": [{ "name": "Golden Gate Bridge", "length": 8981 }, { "name": "Bay Bridge", "length": 23556 }] } ] }]

You can use the built-in JSON functions to extract information from these nested values. See JSON functions in the SPL2 Search Reference.

Famous bridges by country

This dataset literal contains a nested set of arrays about some of the famous bridges around the world, organized by country.

$famous_bridges = from
[
{famous_bridges: [{name: "Forth Bridge", length: 8202, city: "South Queensferry"}, {name: "Gateshead Millennium Bridge", length: 413, city: "Gateshead"}, {name: "Clifton Suspension Bridge", length: 1352, city: "Bristol"}], country: "United Kingdom"},
{famous_bridges: [{name: "Rialto Bridge", length: 157, city: "Venice"}, {name: "Ponte Vecchio Bridge", length: 276, city: "Florence"}],
country: "Italy"},
{famous_bridges: [{name: "Helix Bridge", length: 918}], country: "Singapore"},
{famous_bridges: [{name: "Hangzhou Bay Bridge", length: 110880, city:"Jiaxing"}, {name: "Nanpu Bridge", length: 27381, city:"Shanghai"}],
country: "China"},
{famous_bridges: [{name: "Golden Gate Bridge", length: 8981, city:"San Francisco"}, {name: "Brooklyn Bridge", length: 6016, city:"New York City"}, {name: "Tilikum Crossing", length: 1700, city: "Portland"}], country: "United States"}
]

See also

Related information
Datasets
Functions
repeat dataset function in the SPL2 Search Reference
Last modified on 05 August, 2023
PREVIOUS
Datasets
  NEXT
Dataset functions

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters