Splunk® Cloud Services

SPL2 Search Manual

Array and object literals in expressions

With SPL2, you can create an array or object literal using the eval command. You can also use array and object literals in your search expressions.

Array and object literals can include strings, numbers, and expressions.

Creating array literals

The following example shows how to create an array using string values:

... | eval greeting=["Hello", "Howdy"]

The following example shows an array literal that include numbers and the expression a+2:

... | eval a=10, value=[[1,2,3], a+2]

Creating object literals

The following example shows an object literal with string, number, and expression values:

… | eval obj = {a:"hello", b:[1,2], c:x+1, }

Specifying keys in an object literal

If the key doesn't contain special characters, you can specify the key with or without quotation marks.

… | eval obj = {a:"hello", b:[1,2], c:x+1, }

Even though there aren't quotations around the keys, valid JSON is always returned. This example produces a field called obj with this object as the field value {"a":"hello", "b":[1,2], "c":x+1}.

Likewise, the following keys all return the object literal { "greeting": "hello" }: 

{ greeting: "hello" }       // No quotation marks on the key
{ 'greeting': "hello" }     // Single quotation marks on the key
{ "greeting": "hello" }     // Double quotation marks on the key

However, if the key includes characters such as a space or dash, you must enclose the key in either single or double quotation marks. Basically any key that contains characters other than a-z, A-Z, 0-9, or the underscore ( _ ) character must be enclosed in quotation marks.

For example, if the key is informal greeting it must be enclosed in either single or double quotation marks: 

{ 'informal greeting': "g-day mate" }     // Single quotation marks on the key
{ "informal greeting": "g-day mate" }     // Double quotation marks on the key

Duplicate keys aren't supported in object literals

If an object literal contains duplicate keys, an error is returned.

For example, in the following object literal there are 2 keys that use the name a. Duplicate key names in object literals are not supported.

[{a: 10, a: 25}]

Creating array and object literals with the eval command

You can create a JSON array or object literal in a field using the eval command.

In the following example, a field called object is created in the first eval command. The field contains a JSON object with an embedded array. In the second eval command, the object field is then referenced in the json_delete function.

$search = from [{}] | eval object = {"name":"Wei Zhang", "SSN":"123-45-6789", "city":"Seattle", "accounts":["Hagal Quartz", "Caladan Water", "Arrakis Spices"]} | eval sales_account = json_delete(object, "SSN", "accounts")

See also

Types of expressions
Access expressions for arrays and objects
Array data types in the SPL2 Search Reference
Object data types in the SPL2 Search Reference
Last modified on 29 November, 2023
Search literals in expressions   Access expressions for arrays and objects

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters