String templates in expressions
A string template is a string literal that includes one or more embedded expressions. Use string templates when you want a more readable result for your formatted strings.
When a string template is resolved, the embedded expressions are replaced by the string representations of the expression results.
For more information about string literals and expressions, see Types of expressions.
Syntax
The syntax for an embedded expression starts with the dollar sign ( $ ) and uses curly braces { } to enclose the expression. For example: ${expression}.
Examples using field names in string templates
Consider the following data:
| status | host | action |
|---|---|---|
| 200 | www1 | purchase |
| 200 | www2 | purchase |
| 200 | www1 | addtocart |
| 200 | www2 | purchase |
| 400 | www1 | |
| 400 | www1 | purchase |
| 400 | www1 | addtocart |
| 403 | www2 | changequantity |
| 404 | www1 | view |
| 404 | www1 | purchase |
| 404 | www2 | changequantity |
| 404 | www3 | purchase |
The following search contains a string template with two expressions, ${status} and ${action}, with a string literal, with, between the expressions. The entire string literal must be enclosed in double quotation marks.
... | stats pivot("${status} with ${action}",count())
The results look like this:
| Single Value |
|---|
| {"200 with addtocart":1,"200 with purchase":3,"400 with Null":1,"400 with addtocart":1,"400 with purchase":1,"403 with changequantity":1,"404 with changequantity":1,"404 with purchase":2,"404 with view":1} |
Here's another example:
... | eval status_info="${host} with action ${action} returned ${status}"
The results look something like this:
| action | host | status | status_info |
|---|---|---|---|
| purchase | www1 | 200 | www1 with action purchase returned 200 |
| purchase | www2 | 200 | www2 with action purchase returned 200 |
| addtocart | www1 | 200 | www1 with action addtocart returned 200 |
| purchase | www2 | 200 | www2 with action purchase returned 200 |
| www1 | 400 | www1 with action Null returned 400 |
Examples using functions in string templates
You can specify functions in string template expressions.
Suppose you have fields that contain low and high values, such as those in the following table:
| day | low | high |
|---|---|---|
| sun | -3 | 18 |
| mon | -4 | 15 |
| tue | -4 | -1 |
| wed | 8 | 23 |
| thu | 10 | 30 |
| fri | 13 | 32 |
| sat | 9 | 21 |
You want to calculate the difference between the values and return the result as an absolute value. Here is an example using a string template with an eval command:
...| eval difference="Diff between ${low} and ${high} is ${abs(high - low)}"
The results look like this:
| day | difference | high | low |
|---|---|---|---|
| sun | Diff between -3 and 18 is 21 | 18 | -3 |
| mon | Diff between -4 and 15 is 19 | 15 | -4 |
| tue | Diff between -4 and -1 is 3 | -1 | -4 |
| wed | Diff between 8 and 23 is 15 | 23 | 8 |
| thu | Diff between 10 and 30 is 20 | 30 | 10 |
| fri | Diff between 13 and 32 is 19 | 32 | 13 |
| sat | Diff between 9 and 21 is 12 | 21 | 9 |
You can also use string templates in the SELECT clause of the from command.
For example, this search includes the avg function in a string template:
SELECT "Average: ${avg(price)}" as average_price_string FROM …
See also
- Types of expressions
- Overview of SPL2 eval functions in the SPL2 Search Reference
- Overview of SPL2 stats and chart functions in the SPL2 Search Reference
- When to escape characters
| Access expressions for arrays and objects | Field templates in expressions |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!