Splunk® Cloud Services

SPL2 Search Reference

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Text functions

The following list contains the functions that you can use with string values.

For information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 eval functions.

len(<str>)

This function returns the character length of a string.

Usage

The <str> argument can be the name of a string field or a string literal.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Basic example

This example returns the character length of the values in the categoryId field for each result.

... | eval n=len(myfield)

lower(<str>)

This function returns a string in lowercase.

Usage

The <str> argument can be the name of a string field or a string literal.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Basic example

The following example returns the values in the username field in lowercase.

... | eval username=lower(username)

ltrim(<str>,<trim_chars>)

This function removes characters from the left side of a string.

Usage

The <str> argument can be the name of a string field or a string literal.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

The <trim_chars> argument is optional. If not specified, spaces and tabs are removed from the left side of the string.

Basic example

The following example trims the leading spaces and all of the occurrences of the letter Z from the left side of the string. The value returned is abcZZ .

... | eval x=ltrim(" ZZZZabcZZ ", " Z")

replace(<str>,<regex>,<replacement>)

This function substitutes the replacement string for every occurrence of the regular expression in the string.

Usage

The <str> argument can be the name of a string field or a string literal.

The <replacement> argument can also reference groups that are matched in the <regex using perl-compatible regular expressions (PCRE) syntax.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

To replace a backslash ( \ ) character, you must escape the backslash twice. This is because the replace function occurs inside an eval expression. The eval expression performs one level of escaping before passing the regular expression to PCRE. Then PCRE performs its own escaping.

The Edge Processor solution supports Regular Expression 2 (RE2) syntax instead of PCRE syntax. In particular RE2 and PCRE accept different syntax for named capture groups. See Regular expression syntax for Edge Processor pipelines in Use Edge Processors.


Basic example

The following example returns the values in the date field, with the month and day numbers switched. If the input is 1/14/2023 the return value would be 14/1/2023.

... | eval n=replace(date, "^(\d{1,2})/(\d{1,2})/", "\2/\1/")

rtrim(<str>,<trim_chars>)

This function removes the trim characters from the right side of the string.

Usage

The <str> argument can be the name of a string field or a string literal.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

The <trim_chars> argument is optional. If not specified, spaces and tabs are removed from the right side of the string.

Basic example

The following example trims the leading spaces and all of the occurrences of the letter Z from the right side of the string. The value returned is ZZZZabc.

... | eval n=rtrim(" ZZZZabcZZ ", " Z")

spath(<value>,<path>)

Use this function to extract information from the structured data formats XML and JSON.

Usage

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

The <value> is an input source field.

The <path> is an spath expression for the location path to the value that you want to extract from.

  • If <path> is a literal string, you need to enclose the string in double quotation marks.
  • If <path> is a field name, with values that are the location paths, the field name doesn't need quotation marks. Using a field name for <path> might result in a multivalue field.


Basic example

The following example returns the values of locDesc elements from the _raw field..

... | eval locDesc=spath(_raw, "vendorProductSet.product.desc.locDesc")


The following example returns the hashtags from a twitter event.

index=twitter | eval output=spath(_raw, "entities.hashtags")

substr(<str>,<start>,<length>)

This function returns a substring of a string, beginning at the start index. The length of the substring specifies the number of character to return.

Usage

The <str> argument can be the name of a string field or a string literal.

The indexes follow SQLite semantics; they start at 1. Negative indexes can be used to indicate a start from the end of the string.

The <length> is optional, and if not specified returns the rest of the string.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Basic example

The following example concatenates the first 3 letters in the word splendid with the last 3 letters in the word chunk:

... | eval n=substr("splendid", 1, 3) + substr("chunk", -3)

The result is the word splunk.

trim(<str>,<trim_chars>)

This function removes the trim characters from both sides of the string.

Usage

The <str> argument can be the name of a string field or a string literal.

The <trim_chars> argument is optional. If not specified, spaces and tabs are removed from both sides of the string.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Basic example

The following example trims the leading spaces and all of the occurrences of the letter Z from the left and right sides of the string. The value returned is abc.

... | eval n=trim(" ZZZZabcZZ ", " Z")

upper(<str>)

This function returns a string in uppercase.

Usage

The <str> argument can be the name of a string field or a string literal.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Basic example

The following example returns the values in the username field in uppercase.

... | eval n=upper(username)

urldecode(<url>)

This function takes a URL string and returns the unescaped or decoded URL string.

Usage

The <url> argument can be the name of a string field or a string literal.

You can use this function with the eval and where commands, in the WHERE clause of the from command, and as part of evaluation expressions with other commands.

Basic example

The following example returns "http://www.splunk.com/download?r=header".

... | eval n=urldecode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader")

See also

Function information
Quick Reference for SPL2 eval functions
Overview of SPL2 eval functions
Naming function arguments in the SPL2 Search Manual
Last modified on 17 May, 2023
PREVIOUS
Statistical eval functions 		  NEXT
Trig and Hyperbolic functions

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters