Splunk® Cloud Services

SPL2 Search Reference

Built-in data types

SPL2 supports a set of built-in data types, such as strings, numbers, Booleans, arrays, objects, time spans, relative times, and datasets. All of these data types have corresponding literal syntax that you can use to represent constants in SPL2 expressions. See Types of expressions in the SPL2 Search Manual.

In addition, SPL2 also supports user-defined custom data types. See Custom data types.

Quick reference for SPL2 built-in data types

The following table describes and shows examples of the built-in SPL2 data types:

Type name Description Examples
any The default data type used when a data type isn't specified. The value can be any supported data type. "firstname"

-1d

450925.123

{name:"Ticket to Ride", type:"competitive"}

array An ordered collection of values. The values in the array can be a mixture of data types. ["buttercup", "fluttershy", 3.15]
boolean A Boolean value of true or false. The value must be lowercase. true
dataset A collection of data that you want to use in an SPL2 statement. main

[{day: "sun", temp: 65}, {day: "mon", temp: 42}, {day: "tue", temp: 40}, {day: "wed", temp: 31}, {day: "thu", temp: 47}, {day: "fri", temp: 53}, {day: "sat", temp: 64}]

double A double floating-point number.


If you want to specify an integer as a double value instead of an int value, you must include the D suffix.

56.11


1.2e-3

12D

float A floating-point number.


The value must include the F suffix, or else it is assigned to the double or int types instead.

3.14F


-1.2e5F

-27F

int An integer. The value can be any positive or negative whole number. 365


-32

log_span A logarithm-based span value. 2log10
long A long integer. The value can be a positive or negative whole number.


The value must include the L suffix, or else it is assigned to the int type instead.

1500000000000L
mv A multivalue. Each multivalue contains an ordered collection of values, which can be a mixture of data types and must be separated by line breaks.
Apples
Bananas
Oranges


Taylor Zhang
21
Part-time employee
number A numeric value. The value can be a whole number or a number with decimal places, and the number can be positive or negative. -250


-12

3.14

-1.23

object A structured object that is defined by one or more members, where each member is a key-value pair. {name:"Settlers of Catan", type:"competitive"}
regex A regular expression. /^[a-z][a-z0-9_]*/
relative_time A relative time value. See Specifying relative time in the SPL2 Search Manual. -10h@h
string A sequence of characters, which can include alphanumeric characters as well as special characters such as punctuation and spaces.


The value must be enclosed in double quotation marks ( " ).

"surname"


"198.51.100.255"

"Number of bytes"

time A UNIX time value. See Timestamps and time ranges in the SPL2 Search Manual. 1618339153
time_span A time span. See Specifying time spans in the SPL2 Search Manual. 10m


1h

The following sections describe each of these data types in more detail.

any

The default data type that is used when a data type is not specified.

The value can be any supported data type.

array

An array is an ordered collection of values. The values in the array can be a mixture of data types. There is no option to specify that an array contains homogeneous array types, which are arrays where all of the values must be the same type.

The format of an SPL2 array is similar to a JSON array:

  • The array must be enclosed in square brackets ( [ ] ).
  • Each value in the array must be separated with a comma ( , ).
  • Each value in the array must meet the formatting requirements of its particular type. For example, if the value is a string, then it must be enclosed in double quotation marks ( " ). As another example, if the value is an object, then it must meet the formatting requirements described in the object section.

You can use expressions and constants for the values of SPL2 arrays.

Here are some array examples:

Types of values Examples
String values ["Settlers of Catan","Terraforming Mars","Ticket to Ride"]
Objects [{name: "Tower Bridge", length: 801}, {name: "Millennium Bridge", length: 1066}]
Expressions [a+2, b-4]

For examples of the types of expressions you can use, see Types of expressions in the SPL2 Search Manual

Mixed types ["Settlers of Catan", 39.99, {category: "game", max_players: 4}]

For more information, see Array and object literals in expressions in the SPL2 Search Manual.

boolean

A Boolean value. The value must be either true or false in lowercase.

Uppercase, mixed case, and numeric equivalents such as 0 or 1 are not valid.

dataset

A collection of data.

Datasets are used differently in different product contexts:

  • In searches, datasets contain the data that you want to search or the results of a search.
  • In Edge Processor or Ingest Processor pipelines, datasets can contain the following:
    • The data that the Edge Processor or Ingest Processor received
    • A lookup table that you want to use to enrich the data being processed by an Edge Processor
    • The processed data that you want to send to a destination

A dataset value can be the name of a dataset that's defined outside of the SPL2 statement, such as the name of an index in Splunk Cloud Platform. It can also be a dataset literal, which is an array of objects representing the dataset contents. For more information, see Datasets and Dataset literals in the SPL2 Search Manual.

double

A double floating-point number.

You can choose to express double values as exponents using either an uppercase E or lowercase e. For example, 0.056, 5.6e-2, 5.6E-2 are all valid double values.

If you want to store an integer as a double value instead of an int value, you must include the D suffix. Otherwise, the D suffix is supported but optional. For example, the following eval command sets the value of x to 1.23 as a double value:

... | eval x = 1.23D

This next eval command achieves the same result:

... | eval x = 1.23

However, the D suffix is required if you want to set x to 50 as a double value instead of an int value, as demonstrated by the following eval command:

... | eval x = 50D

float

A signed 4-byte (32-bit) precision floating-point number.

You can choose to express float values as exponents using either an uppercase E or lowercase e. For example, 12000F, 1.2e4F, and 1.2E4F are all valid float values.

A float value must include the F suffix, or else it is assigned to the double or int types instead. For example, the following eval command sets the value of x to 0.345 as a float value:

... | eval x = 0.345F

int

An integer. The value can be a positive or negative whole number.

The int data type works differently in different product contexts:

  • The Splunk platform supports 53-bit integers.
  • The Edge Processor and Ingest Processor solutions support 64-bit integers.

Here are some examples of int values:

  • 10
  • -32000
  • 1976

log_span

A logarithm-based span that consists of a coefficient and a base.

  • The first number is the coefficient. It must be a real number that is greater than or equal to 1.0 and less than the base.
  • The second number is the base. It must be an integer that is greater than 1.

Here are some log_span examples:

  • 2log10
  • 7log12
  • 1.5log10

long

A signed 8-byte (64-bit) integer. The value can be a positive or negative whole number.

A long value must include the L suffix, or else it is assigned to the int type instead.

Here are some examples of long values:

  • 1600000000L
  • 24L
  • -370000000L

The following is an example of an eval command that sets the value of x to 2147483647 as a long value:

... | eval x = 2147483647L

mv

A multivalue, which is an entity containing an ordered collection of values.

The values in the collection can be a mixture of data types, and each value must be separated by a line break.

Here are some multivalue examples:

  • In the following events, the employee_record field contains multivalues indicating the name, age, and employment status of each employee in the company.
    id employee_record
    13078 Charlie Garcia

    25
    Full-time employee

    13079 Taylor Zhang

    21
    Part-time employee

  • In this next set of events, the hosts field contains multivalues indicating the IP addresses and host names for a given software development environment:
    environment hosts
    test localhost

    192.168.1.1

    staging 192.123.1.2

    193.101.125.3

    production 198.100.225.1

    198.100.225.2

number

Any numeric value. The value can contain numeric characters, the decimal separator ( . ), and the minus sign ( - ) for negative values.

The number type is union type that combines the double, float, int, and long types. Each valid number value also matches one of these more specific types. For example:

  • 32 is a number and also an int.
  • -2.178 is a number and also a double.

When working with numbers in SPL2, you don't need to specify the type or precision of the number. This is because SPL2 handles numbers dynamically, and can interpret numbers as int, long, double, or float values as necessary for a given operation. However, if desired, you can still choose to specify the type and precision of a number:

  • To specify a number as a double, float, or long, include the appropriate suffix in the value. See the sections about the double, float, and long types in this topic for more information.
  • If a whole number does not have a suffix, it is interpreted as an int value.

For example, the following eval command sets the x, y, and z fields to the numbers 10, 1231232.123, and -25, respectively. 10 and -25 are both interpreted as int values, while 1231232.123 is interpreted as a double value.

… | eval x = 10, y = 1231232.123, z = -25

As another example, you can include suffixes so that 10 is interpreted as a double value and -25 is interpreted as a long value:

… | eval x = 10D, y = 1231232.123, z = -25L

object

A structured object that is defined by one or more members, where each member is a key-value pair.

The format of a SPL2 object is similar to a JSON object:

  • The object must be enclosed in curly brackets ( { } ).
  • In a list of key-value pairs, separate each key-value pair with a comma ( , ).
  • For each key-value pair, separate the key from the value with a colon ( : ).
  • Key names that contain only a-z, A-Z, 0-9, or the underscore character ( _ ) don't need to be enclosed in quotation marks. However, key names that contain any other characters must be enclosed in either single quotation marks ( ' ) or double quotation marks ( " ).

    To ensure that the keys are JSON-compatible, Splunk software internally stores all key names with double quotation marks ( " ).

  • Values that are strings must be enclosed in double quotation marks ( " ).

For more information, see Array and object literals in expressions in the SPL2 Search Manual.

Here are some SPL2 object examples:

  • {name:"Golden Gate Bridge", length:8981, year_built:1933}
  • {type: "competitive", 'game-name': "Ticket to Ride"}

regex

A regular expression that matches patterns of characters.

The regex type works differently in different product contexts:

Here are some examples of regular expressions:

  • "(?<!\d)10\.\d{1,3}\.\d{1,3}\.\d{1,3}(?!\d)"
  • "^([a-z0-9_\.-]+)@([\da-z\.-]+)\.([a-z\.]{2,6})$"

relative_time

A time that is based on the current time, such as "5 minutes ago". You can use relative_time values when specifying the time range of a search.

The following is the accepted format for relative_time values: [+|-]<time_integer><time_unit>@<time_unit>

The @<time_unit> notation is optional.

For example, the value -1h indicates a relative time of "1 hour ago". If the current time is 3:45 PM, then -1h would resolve to 2:45 PM.

You can include the @<time_unit> notation to specify a "snap-to" time, which takes the relative time and rounds it down to the start of the time unit. For example, if the current time is 3:45 PM, then the value -1h@h would resolve to 2:00 PM.

For more information about relative time, see Specifying relative time in the SPL2 Search Manual.

string

A sequence of characters, which can include alphanumeric characters as well as special characters such as punctuation and spaces.

In SPL2, every string value must be enclosed in double quotation marks ( " ). For example, "Hello World" is a valid string, but Hello World is not.

If the string itself contains a reserved character such as a double quotation mark ( " ), then you must either escape the reserved character or format the string using raw string notation.

Escape sequences for reserved characters

SPL2 supports the following escape sequences for reserved characters in string values:

Reserved characters Escape sequence
Double quotation mark ( " ) \"
Backslash ( \ ) \\
Backspace character \b
Carriage return character \r
Form feed character \f
Horizontal tab character \t
Newline character \n
Unicode character represented by a hexadecimal number.


For example: 0x41

\u<hex_number>


For example: \u0x41

${ as a sequence of characters. \${

Using raw string notation

A raw string is a string that is interpreted literally, allowing most reserved characters to be included as is in the string itself. The only character that needs to be escaped is the double quotation mark ( " ). You can escape a double quotation mark ( " ) by specifying it twice ( "" ).

To specify a raw string, prefix the string value with an at symbol ( @ ).

Examples

The following examples demonstrate how a given string can be formatted as a regular SPL2 string literal and as a raw string:

String SPL2 string literal Raw string
Hello "Hello" @"Hello"
Hello World "Hello World" @"Hello World"
Maria said "Hello World" "Maria said \"Hello World\"" @"Maria said ""Hello World"""
C:\Windows\System32 "C:\\Windows\\System32" @"C:\Windows\System32"
Edge \"Case "Edge \\\"Case" @"Edge \""Case"

time

A UNIX time value. See Timestamps and time ranges in the SPL2 Search Manual.

Here are some time examples:

  • 1518632124
  • 1618339153

time_span

A time span that consists of an optional time unit and a timescale.

  • The time unit is an integer that designates the amount of time, such as 5 or 30. If you don't specify a time unit, then 1 is used by default. For example, the time_span value min represents 1 minute.
  • The timescale is a word or abbreviation that designates the time interval, such as seconds, minutes, or hours.

You can use time_span values to organize search results by time increments. For more information, see Specifying time spans in the SPL2 Search Manual.

Here are some time span examples:

  • 15s
  • 3m
  • h
  • 2mon
  • 1qtr

See also

Related information
Custom data types
Understanding SPL2 syntax
Last modified on 19 December, 2024
Documenting custom functions   Custom data types

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters