Quick Reference for SPL2 eval functions
There are two ways to find information about the supported evaluation functions:
Function list by category
The following table is a quick reference of the supported evaluation functions. This table lists the syntax and provides a brief description for each of the functions. Use the links in the Type of function column for more details and examples.
| Type of function | Supported functions and syntax | Description |
|---|---|---|
| Comparison and Conditional functions | case(<condition>,<value>, ...)
|
Accepts alternating conditions and values. Returns the first value for which the condition evaluates to TRUE. |
cidrmatch(<cidr>,<ip>)
|
Returns TRUE or FALSE based on whether an IP address matches a CIDR notation. | |
coalesce(<values>)
|
Takes one or more values and returns the first value that is not NULL. | |
if(<predicate>,<true_value>,<false_value>)
|
If the <predicate> expression evaluates to TRUE, returns the <true_value>. Otherwise the function returns the <false_value.
| |
in(<value>,<list>)
|
Returns TRUE if one of the values in the list matches a value that you specify. | |
like(<str>,<pattern>)
|
Returns TRUE if the string value matches the pattern. | |
match(<str>,<regex>)
|
Returns TRUE if the regular expression finds a match against any substring of the string value. Otherwise returns FALSE. | |
nullif(<value1>,<value2>)
|
Compares two values and returns NULL if <value1> = <value2>. Otherwise it returns <value1>.
| |
searchmatch(<search_str>)
|
Returns TRUE if the event matches the search string. | |
validate(<condition>,<value>,...)
|
Takes a list of conditions and values and returns the value that corresponds to the condition that evaluates to FALSE. This function defaults to NULL if all conditions evaluate to TRUE. | |
| Conversion functions | ipmask(<mask>,<IP>)
|
Generates a new masked IP address by applying a mask to a IPv4 address. |
object_to_array(<object>,<key>,<value>)
|
Converts data that is in an object format into an array format. | |
printf(<format>,<values>)
|
Builds a string value, based on a string format and the values specified. | |
tojson(<internal_fields>)
|
Returns a JSON object representation of events or search results. | |
tonumber(<str>,<base>)
|
Converts a string to a number. The base is optional. If not specified, base 10 is used. | |
tostring(<value>,<format>)
|
Converts a value to a string using the specified format. | |
| Cryptographic functions | md5(<str>)
|
Computes and returns the MD5 hash of a string value. |
sha1(<str>)
|
Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-1 hash function. | |
sha256(<str>)
|
Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-256 hash function. | |
sha512(<str>)
|
Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-512 hash function. | |
| Date and Time functions | now()
|
Returns the time that the search was started. |
relative_time(<time>,<specifier>)
|
Takes a UNIX time and a relative time specifier and returns the UNIX time value of the specifier applied to the time. | |
strftime(<time>,<format>)
|
Takes a UNIX time value and renders the time as a string using the format specified. The UNIX time must be in seconds. | |
strptime(<str>,<format>)
|
Takes a human readable time, represented by a string, and parses the time into a UNIX timestamp using the format. | |
time()
|
Returns the wall-clock time, in the UNIX time format, with microsecond resolution. | |
| Informational functions | cluster(<field>,<threshold>,<match>,<delims>)
|
Generates a cluster label, in the form of a number, for each event based on how similar the events are to each other. |
isbool(<value>)
|
Returns TRUE if the value is Boolean. | |
isint(<value>)
|
Returns TRUE if the value is an integer. | |
isnotnull(<value>)
|
Returns TRUE if the value is not NULL. | |
isnull(<value>)
|
Returns TRUE if the value is NULL. | |
isnum(<value>)
|
Returns TRUE if the value is a number. | |
isstr(<value>)
|
Returns TRUE if the value is a string. | |
typeof(<value>)
|
Returns the data type of the value, such as Number, String, Boolean, and so forth | |
| JSON functions | json_append(<json>,<path_value_pairs>)
|
Appends elements to the contents of a valid JSON object. |
json_array(<values)
|
Creates a JSON array using a list of values. | |
json_array_to_mv(<json_array>,<boolean>)
|
Maps the elements of a JSON array to a multivalued field. | |
json_delete(<object>,<keys>)
|
Removes one or more keys and their corresponding values from the specified JSON object. | |
json_extend(<json>,<path_value_pairs>)
|
Extends the contents of a valid JSON object with the values of an array. | |
json_extract(<field>,<paths>)
|
Returns a value from a field and zero or more paths. The value is returned in either a JSON array, or a Splunk software native type value. | |
json_extract_exact(<json>,<keys>)
|
Returns Splunk software native type values from a piece of JSON by matching literal strings in the event and extracting the strings as keys. | |
json_keys(<json>)
|
Returns the keys from the key-value pairs in a JSON object. The keys are returned as a JSON array. | |
json_object(<key>,<value,...)
|
Creates a new JSON object from members of key-value pairs. | |
json_set(<json>,<path_value_pairs>)
|
Inserts or overwrites values for a JSON node with the path and value pairs provided and returns an updated JSON object. | |
json_set_exact(<json>,<key_value_pairs>)
|
Generates or overwrites a JSON object using the key-value pairs specified. | |
json_valid(<field>)
|
Evaluates whether a JSON object uses valid JSON syntax and returns either TRUE or FALSE. | |
json(<value>)
|
Evaluates whether a value can be parsed as JSON. If the value is in a valid JSON format, the function returns the value. Otherwise, the function returns null. | |
all(<values>,<predicate>)
|
Iterates over the values in a JSON array and returns true if every value in the array matches the provided predicate. | |
any(<values>,<predicate>)
|
Iterates over the values in a JSON array and returns true if any value in the array matches the provided predicate. | |
filter(<values>,<predicate>)
|
Iterates over the values in a JSON array and copies the values that match the specified <predicate> into a new array. | |
map(<values>,<mapper>)
|
Iterates over the values in a JSON array and performs an operation on each value in the array. | |
reduce(<values>,<initialValue>,<accumulator>,<finalizer>)
|
Iterates over the values in a JSON array and performs an accumulation operation. | |
| Mathematical functions | abs(<num>)
|
Returns the absolute value of a number. |
ceiling(<num>) or ceil(<num>)
|
Rounds a number up to the next highest integer. | |
exact(<expression>)
|
Returns the result of a numeric eval calculation with a larger amount of precision in the formatted output. | |
exp(<num>)
|
Returns the exponential function eX of a number.
| |
floor(<num>)
|
Rounds a number down to the nearest whole integer. | |
ln(<num>)
|
Returns the natural logarithm of a number. | |
log(<num>,<base>)
|
Returns the logarithm of a number using a base. The base is optional, and if omitted the log function uses base 10. | |
pi()
|
Returns the constant pi to 11 digits of precision. | |
pow(<num>,<exp>)
|
Returns a number to the power of the exponent. | |
round(<num>,<precision>)
|
Returns a number rounded to the decimal places specified by the precision. The default is to round to an integer. | |
sigfig(<num>)
|
Rounds a number to the appropriate number of significant figures. | |
sqrt(<num>)
|
Returns the square root of a number. | |
| Multivalue eval functions | mvappend(<values>)
|
Returns a single multivalue result from a list of values. |
mvcount(<mv>)
|
Returns the count of the number of values in the specified multivalue field. | |
mvdedup(<mv>)
|
Removes all of the duplicate values from a multivalue field. | |
mvfilter(<predicate>)
|
Filters a multivalue field based on a predicate expression. The expression can reference only one field. | |
mvfind(<mv>,<regex>)
|
Returns the index for the first value in a multivalue field that matches a regular expression. | |
mvindex(<mv>,<start>,<end>)
|
Returns a subset of the multivalue field using the start and end index values. | |
mvjoin(<mv>,<delim>)
|
Concatenates the individual values within the multivalue field using the value of the delimiter as a separator. | |
mvrange(<start>,<end>,<step>)
|
Creates multivalue field based on a range of specified numbers. | |
mvsort(<mv>)
|
Returns the values of a multivalue field sorted lexicographically. | |
mvzip(<mv_left>,<mv_right>,<delim>)
|
Combines the values in two multivalue fields. Stitches together the first value in each field, then the second value in each field, and so on. The delimiter is used to specify a delimiting character to join each pair of values. | |
mv_to_json_array(<field>,<infer_types>)
|
Maps the elements of a multivalue field to a JSON array. | |
split(<str>,<delim>)
|
Splits the string values on the delimiter and returns the string values as a multivalue field. | |
| Statistical eval functions | max(<values>)
|
Returns the maximum of the string or numeric values. |
min(<values>)
|
Returns the minimum of the string or numeric values. | |
random()
|
Returns a pseudo-random integer ranging from 0 to 231-1. | |
| Text functions | len(<str>)
|
Returns the character length of a string. |
lower(<str>)
|
Converts a string to lowercase. | |
ltrim(<str>,<trim_chars>)
|
Removes the trim characters from the left side of the string. | |
replace(<str>,<regex>,<replacement>)
|
Substitutes the replacement string for every occurrence of the regular expression in the string. | |
rtrim(<str>,<trim_chars>)
|
Removes the trim characters from the right side of the string. | |
spath(<value>,<path>)
|
Extracts information from the structured data formats XML and JSON. | |
substr(<str>,<start>,<length>)
|
Returns a substring of a string, beginning at the start index. The length of the substring specifies the number of characters to return. | |
trim(<str>,<trim_chars>)
|
Removes the trim characters from both sides of the string. | |
upper(<str>)
|
Returns a string in uppercase. | |
urldecode(<url>)
|
Returns a URL as an unescaped or decoded URL string. | |
| Trigonometry and Hyperbolic functions | acos(<x>)
|
Computes the arc cosine of x.
|
acosh(<x>)
|
Computes the arc hyperbolic cosine of x.
| |
asin(<x>)
|
Computes the arc sine of x.
| |
asinh(<x>)
|
Computes the arc hyperbolic sine of x.
| |
atan(<x>)
|
Computes the arc tangent of x.
| |
atan2(<y>,<x>)
|
Computes the arc tangent of y, x.
| |
atanh(<x>)
|
Computes the arc hyperbolic tangent of x.
| |
cos(<x>)
|
Computes the cosine of an angle of x radians.
| |
cosh(<x>)
|
Computes the hyperbolic cosine of x radians.
| |
hypot(<x>,<y>)
|
Computes the hypotenuse of a triangle. | |
sin(<x>)
|
Computes the sine of x.
| |
sinh(<x>)
|
Computes the hyperbolic sine of x.
| |
tan(<x>)
|
Computes the tangent of x.
| |
tanh(<x>)
|
Computes the hyperbolic tangent of x.
|
Alphabetical list of functions
| Supported functions and syntax | Description | Type of function |
|---|---|---|
abs(<num>)
|
Returns the absolute value of a number. | Mathematical functions |
acos(<x>)
|
Computes the arc cosine of x.
|
Trigonometry and Hyperbolic functions |
acosh(<x>)
|
Computes the arc hyperbolic cosine of x.
|
Trigonometry and Hyperbolic functions |
all(<values>,<predicate>)
|
Iterates over the values in a JSON array and returns true if every value in the array matches the provided predicate. | JSON functions |
any(<values>,<predicate>)
|
Iterates over the values in a JSON array and returns true if any value in the array matches the provided predicate. | JSON functions |
asin(<x>)
|
Computes the arc sine of x.
|
Trigonometry and Hyperbolic functions |
asinh(<x>)
|
Computes the arc hyperbolic sine of x.
|
Trigonometry and Hyperbolic functions |
atan(<x>)
|
Computes the arc tangent of x.
|
Trigonometry and Hyperbolic functions |
atan2(<y>,<x>)
|
Computes the arc tangent of y,x.
|
Trigonometry and Hyperbolic functions |
atanh(<x>)
|
Computes the arc hyperbolic tangent of x.
|
Trigonometry and Hyperbolic functions |
case(<condition>,<value>, ...)
|
Accepts alternating conditions and values. Returns the first value for which the condition evaluates to TRUE. | Comparison and Conditional functions |
ceiling(<num>) or ceil(<num>)
|
Rounds a number up to the next highest integer. | Mathematical functions |
cidrmatch(<cidr>,<ip>)
|
Returns TRUE or FALSE based on whether an IP address matches a CIDR notation. | Comparison and Conditional functions |
cluster(<field>,<threshold>,<match>,<delims>)
|
Generates a cluster label, in the form of a number, for each event based on how similar the events are to each other. | Informational functions |
coalesce(<values>)
|
Takes one or more values and returns the first value that is not NULL. | Comparison and Conditional functions |
cos(<x>)
|
Computes the cosine of an angle of x radians.
|
Trigonometry and Hyperbolic functions |
cosh(<x>)
|
Computes the hyperbolic cosine of x radians.
|
Trigonometry and Hyperbolic functions |
exact(<expression>)
|
Returns the result of a numeric eval calculation with a larger amount of precision in the formatted output. | Mathematical functions |
exp(<num>)
|
Returns the exponential function eX of a number.
|
Mathematical functions |
filter(<values>,<predicate>)
|
Iterates over the values in a JSON array and copies the values that match the specified <predicate> into a new array. | JSON functions |
floor(<num>)
|
Rounds a number down to the nearest whole integer. | Mathematical functions |
hypot(<x>,<y>)
|
Computes the hypotenuse of a triangle. | Trigonometry and Hyperbolic functions |
if(<predicate>,<true_value>,<false_value>)
|
If the <predicate> expression evaluates to TRUE, returns the <true_value>. Otherwise the function returns the <false_value>.
|
Comparison and Conditional functions |
in(<value>,<list>)
|
Returns TRUE if one of the values in the list matches a value that you specify. | Comparison and Conditional functions |
ipmask(<mask>,<IP>)
|
Generates a new masked IP address by applying a mask to a IPv4 address. | Conversion functions |
isbool(<value>)
|
Returns TRUE if the value is Boolean. | Informational functions |
isint(<value>)
|
Returns TRUE if the value is an integer. | Informational functions |
isnotnull(<value>)
|
Returns TRUE if the value is not NULL. | Informational functions |
isnull(<value>)
|
Returns TRUE if the value is NULL. | Informational functions |
isnum(<value>)
|
Returns TRUE if the value is a number. | Informational functions |
isstr(<value>)
|
Returns TRUE if the value is a string. | Informational functions |
json_append(<json>,<path_value_pairs>)
|
Appends elements to the contents of a valid JSON object. | JSON functions |
json_array(<values>)
|
Creates a JSON array using a list of values. | JSON functions |
json_array_to_mv(<json_array>,<boolean>)
|
Maps the elements of a JSON array to a multivalued field. | JSON functions |
json_delete(<object>,<keys>)
|
Removes one or more keys and their corresponding values from the specified JSON object. | JSON functions |
json_extend(<json>,<path_value_pairs>)
|
Extends the contents of a valid JSON object with the values of an array. | JSON functions |
json_extract(<field>,<paths>)
|
Returns a value from a field and zero or more paths. The value is returned in either a JSON array, or a Splunk software native type value. | JSON functions |
json_extract_exact(<json>,<keys>)
|
Returns Splunk software native type values from a piece of JSON by matching literal strings in the event and extracting the strings as keys. | JSON functions |
json_keys(<json>)
|
Returns the keys from the key-value pairs in a JSON object. The keys are returned as a JSON array. | JSON functions |
json_object(<key>,<value>,...)
|
Creates a new JSON object from members of key-value pairs. | JSON functions |
json_set(<field>,<path_value_pairs>)
|
Inserts or overwrites values for a JSON node with the path and value pairs provided and returns an updated JSON object. | JSON functions |
json_set_exact(<json>,<key_value_pairs>)
|
Generates or overwrites a JSON object using the key-value pairs specified. | JSON functions |
json_valid(<field>)
|
Evaluates whether a JSON object uses valid JSON syntax and returns either TRUE or FALSE. | JSON functions |
json(<value>)
|
Evaluates whether a value can be parsed as JSON. If the value is in a valid JSON format, the function returns the value. Otherwise, the function returns null. | JSON functions |
len(<str>)
|
Returns the character length of a string. | Text functions |
like(<str>,<pattern>)
|
Returns TRUE if the string value matches the pattern. | Comparison and Conditional functions |
ln(<num>)
|
Returns the natural logarithm of a number. | Mathematical functions |
log(<num>,<base>)
|
Returns the logarithm of a number using a base. The base is optional, and if omitted the log function uses base 10. | Mathematical functions |
lower(<str>)
|
Converts a string to lowercase. | Text functions |
ltrim(<str>,<trim_chars>)
|
Removes the trim characters from the left side of the string. | Text functions |
map(<values>,<mapper>)
|
Iterates over the values in a JSON array and performs an operation on each value in the array. | JSON functions |
match(<str>,<regex>)
|
Returns TRUE if the regular expression finds a match against any substring of the string value. Otherwise returns FALSE. | Comparison and Conditional functions |
max(<values>)
|
Returns the maximum of the string or numeric values. | Statistical eval functions |
md5(<str>)
|
Computes and returns the MD5 hash of a string value. | Cryptographic functions |
min(<values>)
|
Returns the minimum of the string or numeric values. | Statistical eval functions |
mvappend(<values>)
|
Returns a single multivalue result from a list of values. | Multivalue eval functions |
mvcount(<mv>)
|
Returns the count of the number of values in the specified multivalue field. | Multivalue eval functions |
mvdedup(<mv>)
|
Removes all of the duplicate values from a multivalue field. | Multivalue eval functions |
mvfilter(<predicate>)
|
Filters a multivalue field based on a predicate expression. The expression can reference only one field. | Multivalue eval functions |
mvfind(<mv>,<regex>)
|
Returns the index for the first value in a multivalue field that matches a regular expression. | Multivalue eval functions |
mvindex(<mv>,<start>,<end>)
|
Returns a subset of the multivalue field using the start and end index values. | Multivalue eval functions |
mvjoin(<mv>,<delim>)
|
Concatenates the individual values within the multivalue field using the value of the delimiter as a separator. | Multivalue eval functions |
mvrange(<start>,<end>,<step>)
|
Creates a multivalue field based on a range of specified numbers. | Multivalue eval functions |
mvsort(<mv>)
|
Returns the values of a multivalue field sorted lexicographically. | Multivalue eval functions |
mvzip(<mv_left>,<mv_right>,<delim>)
|
Combines the values in two multivalue fields. Stitches together the first value in each field, then the second value in each field, and so on. The delimiter is used to specify a delimiting character to join each pair of values. | Multivalue eval functions |
mv_to_json_array(<field>,<infer_types>)
|
Maps the elements of a multivalue field to a JSON array. | Multivalue eval functions |
now()
|
Returns the time that the search was started. | Date and Time functions |
null()
|
This function takes no arguments and returns NULL. | Comparison and Conditional functions |
nullif(<value1>,<value2>)
|
Compares two values and returns NULL if <value1> = <value2>. Otherwise it returns <value1>. | Comparison and Conditional functions |
object_to_array(<object>,<key>,<value>)
|
Converts data that is in an object format into an array format. | Conversion functions |
pi()
|
Returns the constant pi to 11 digits of precision. | Mathematical functions |
pow(<num>,<exp>)
|
Returns a number to the power of the exponent. | Mathematical functions |
printf(<format>,<values>)
|
Builds a string value, based on a string format and the values specified. | Conversion functions |
random()
|
Returns a pseudo-random integer ranging from 0 to 231-1. | Statistical eval functions |
reduce(<values>,<initialValue>,<accumulator>,<finalizer>)
|
Iterates over the values in a JSON array and performs an accumulation operation. | JSON functions |
relative_time(<time>,<specifier>)
|
Takes a UNIX time and a relative time specifier and returns the UNIX time value of the specifier applied to the time. | Date and Time functions |
replace(<str>,<regex>,<replacement>)
|
Substitutes the replacement string for every occurrence of the regular expression in the string. | Text functions |
round(<num>,<precision>)
|
Returns a number rounded to the decimal places specified by the precision. The default is to round to an integer. | Mathematical functions |
rtrim(<str>,<trim_chars>)
|
Removes the trim characters from the right side of the string. | Text functions |
searchmatch(<search_str>)
|
Returns TRUE if the event matches the search string. | Comparison and Conditional functions |
sha1(<str>)
|
Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-1 hash function. | Cryptographic functions |
sha256(<str>)
|
Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-256 hash function. | Cryptographic functions |
sha512(<str>)
|
Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-512 hash function. | Cryptographic functions |
sigfig(<num>)
|
Rounds a number to the appropriate number of significant figures. | Mathematical functions |
sin(<x>)
|
Computes the sine of x.
|
Trigonometry and Hyperbolic functions |
sinh(<x>)
|
Computes the hyperbolic sine of x.
|
Trigonometry and Hyperbolic functions |
spath(<value>,<path>)
|
Extracts information from the structured data formats XML and JSON. | Text functions |
split(<str>,<delim>)
|
Splits the string values on the delimiter and returns the string values as a multivalue field. | Multivalue eval functions |
sqrt(<num>)
|
Returns the square root of a number. | Mathematical functions |
strftime(<time>,<format>)
|
Takes a UNIX time value and renders the time as a string using the format specified. The UNIX time must be in seconds. | Date and Time functions |
strptime(<str>,<format>)
|
Takes a human readable time, represented by a string, and parses the time into a UNIX timestamp using the format. | Date and Time functions |
substr(<str>,<start>,<length>)
|
Returns a substring of a string, beginning at the start index. The length of the substring specifies the number of characters to return. | Text functions |
tan(<x>)
|
Computes the tangent of x.
|
Trigonometry and Hyperbolic functions |
tanh(<x>)
|
Computes the hyperbolic tangent of x.
|
Trigonometry and Hyperbolic functions |
time()
|
Returns the wall-clock time, in the UNIX time format, with microsecond resolution. | Date and Time functions |
tojson(<internal_fields>)
|
Returns a JSON object representation of events or search results. | Conversion functions |
tonumber(<str>,<base>)
|
Converts a string to a number. The base is optional. If not specified, base 10 is used. | Conversion functions |
tostring(<value>,<format>)
|
Converts a value to a string using the specified format. | Conversion functions |
trim(<str>,<trim_chars>)
|
Removes the trim characters from both sides of the string. | Text functions |
typeof(<value>)
|
Returns a string that indicates the field type, such as Number, String, Boolean, and so forth. | Informational functions |
upper(<str>)
|
Returns a string in uppercase. | Text functions |
urldecode(<url>)
|
Returns a URL as an unescaped or decoded URL string. | Text functions |
validate(<condition>,<value>,...)
|
Takes a list of conditions and values and returns the value that corresponds to the condition that evaluates to FALSE. This function defaults to NULL if all conditions evaluate to TRUE. | Comparison and Conditional functions |
See also
Last modified on 10 July, 2024
| Overview of SPL2 eval functions | Comparison and Conditional functions |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!