Splunk® Cloud Services

SPL2 Search Manual

Lambda expressions

In functions, you can use lambda expressions where you would specify function parameters. A lambda expression is like a function. In essence, you are using a lambda expression to pass a function as an argument into another function.

lambda expression syntax

The required syntax is in bold.

( [ $<parameter-name> [: <parameter-type>] [=<default-value>] ], ...)
->
<expression> | { <function-statements> }

You must specify either an expression or a function-statement.

Required arguments

parentheses
Syntax: ( )
Description: If only one parameter is specified, you can omit the parentheses. However, if no parameters or multiple parameters are specified the parentheses ( ) are required before the lambda symbol ( -> ).
lambda symbol
Syntax: ->
Description: The lambda symbol ( -> ) is used between the parameters and the expression.
expression
Syntax: <expression>
Description: An expression can be composed of literals, functions, fields, parameters, comparisons, and other expressions. See Types of expressions.
Example: $a = $a + 2.
Default: None
function-statements
Syntax: { [ $<variable-name> = <expression>; ... ] return <expression> }
Description: You can specify one or more function statements. There are two types of function statements: assignment statements and return statements. Assignment statements are variable-expression pairs.
Return statements consist of the keyword return followed by an expression. Expressions can be composed of literals, functions, fields, parameters, comparisons, and other expressions. See Types of expressions.
  • You can specify zero or more assignment statements.
  • You must specify only one return statement.
  • The return statement must be the last function statement specified.
The entire function statement must be enclosed in curly brackets { }.
When specifying multiple function-statements, either place each statement on a separate line or use a semi-colon ( ; ) between each statement.
Example: {$a = 1+2; $c = 3+4; return $a + $c}
Default: None

Optional arguments

default-value
Syntax: <default-value>
Description: A default value for the parameter. The value must be a constant, either a number or a string. The value can't be a field name. Users can override the default value by specifying the parameter with a value.
Example: $count: int=5
Default: None
parameter-name
Syntax: $<parameter-name>
Description: The name that you want to give to a parameter to use with the lambda expression. You can specify zero or more parameters. Separate multiple parameters with commas. Parameter names must start with a dollar sign ( $ ) followed by a letter or an underscore ( _ ) character and cannot contain spaces. When you specify a parameter name, you have the option to include a parameter type. The default parameter type is any.
Example: ($firstname, $surname, $age: int)
Default: None
parameter-type
Syntax: <parameter-type>
Description: The data type that the parameter accepts. This is the input data type. The default data type is any. See Built-in data types. If you specify a parameter type, you must separate the <parameter-name> and the <parameter-type> with a colon ( : ).
Example: ($ipaddress: string, $kbps: int)
Default: any

Syntax rules quick reference

The following table explains the syntax rules and includes examples:

Example Explanation Syntax rule
() -> 1 + 2 Return the result of 1 + 2. Parameters: If no parameter is specified, you must use parentheses ( ) where the parameter would be defined.
$a -> $a + 1


($a) -> $a + 1

Specify parameter $a and return the result of expression $a + 1. Parameters: When a single parameter is specified, you can omit or include the parentheses around the parameter.
($a, $b) -> $a + $b Specify multiple parameters, $a and $b. Return the result of expression $a + $b. Parameters: A comma-separated list of parameters is specified. You must use parentheses to enclose all of the parameters.
($a) -> $a + 1


($a) -> { return $a + 1 }

Specify parameter $a and return the result of expression $a + 1. Expressions: When a single expression is specified, you can omit or include the curly brackets { } around the expression.


If you use the curly brackets, you must use the return keyword, regardless of number of function statements specified.

($a, $b) -> { $z = $a + $b; return $z } Specify multiple parameters, $a and $b. Calculate function statement $z = $a + $b. Return the result of $z. Expressions: When a function statement in the form of <variable>=<expression> is specified, you must enclose the entire expression clause in curly brackets { }, regardless of number of function statements specified.


When you specify multiple function statements on the same line, you must separate the statements with a semi-colon ( ; ).

($a) -> { $c=$a*2; $d=$a*4; return $c+$d }






($a) -> {

$c=$a*2
$d=$a*4
return $c+$d

}

Specify one parameter and multiple assignment statements. Return the result of $c + $d. Expressions: When you specify multiple function statements on the same line, you must separate the statements with a semi-colon ( ; ).


If the function statements are on separate lines, you can omit the semi-colons.

Lambda expression shortcuts

You can omit everything before the lambda symbol ( -> ) in your lambda expression by using the $it parameter. The $it parameter is an implicit parameter that refers to the argument passed into the lambda expression.

$it + 2 is a shortcut for the lambda expression $it -> $it + 2

Consider the function literal function($it) {return $it.a}. You can write this function literal in a concise form as $it.a or as a lambda expression $it -> $it.a, where the return statement and other tokens are omitted.

JSON functions that expect lambda expressions

The following JSON functions expect lambda expressions:

  • any
  • all
  • filter
  • map
  • reduce

See JSON functions in the SPL2 Search Reference.

Examples

Multiply each value in an array by a specific number

The following example takes an array of values, in the form of a dataset literal, and multiplies each number in the array by two. 

from [{myNumbers: [1, 2, 3]} ]
| eval multiplied = map(myNumbers, $num -> $num * 2)

Normalize JSON

Sometimes you encounter JSON data that is formatted in such a way that Splunk platforms can't parse the JSON data. One example is data that consists of key-value pairs inside an array of objects where both the keys and values are stored as values. You can use lambda expressions to normalize JSON data.

The following search takes an array that consists of a set of objects. The search uses the eval command with the reduce function to pull the keys out of each object and place the results in a new field called "keyvals". The reduce function iterates over the values in a JSON array and performs an operation on each value in the array. 

$basic = from [{array:[{key:"one", n:1},{key:"two", n:2},
{key:"three", n:3}]}] 
| eval keyvals=reduce(array, {}, ($acc, $it) -> json_set_exact($acc, 
$it.key, $it.n))

Here is what occurs when the reduce function iterates over the values in the array:

Iteration Before the operation After the operation
1st iteration The $acc parameter is an empty object. The $it parameter is the first object {key:"one", n:1} The $acc parameter is now {"one",1}
2nd iteration The $acc parameter is {"one",1}. The $it parameter is the second object {key:"two", n:2}. The $acc parameter is now {"one",1}, {"two",2}.
3rd iteration The $acc parameter is {"one",1}, {"two",2}. The $it parameter is the third object {key:"three", n:3}. The $acc parameter is now {"one",1}, {"two",2}, {"three",3}.

The results look like this:

array keyvals
[{"key":"one","n":1},{"key":"two","n":2},{"key":"three","n":3}] {"one":1,"two":2,"three":3}

For more information about the reduce function, see JSON functions in the SPL2 Search Reference.

Apply a normalizer function to a URL

Consider the following function, which decodes and normalizes URLs: 

function normalizeDecodeURL($input: string, $beforeDecode: func, $afterDecode: func): string {
  $readyForDecode = $beforeDecode($input)
  $decoded = urldecode($readyForDecode)
  return $afterDecode($decoded)
}

This function defines three parameters:

  • $input accepts string values, which will be the URLs.
  • $beforeDecode must be a lambda expression.
  • $afterDecode must be a lambda expression.

The advantage of specifying lambda expressions for the function parameters is that you can customize the behavior of functions when you call the statements instead of hardcoding the behavior inside the function body.

The following example shows how the normalizeDecodeURL function is used in a search: 

$search1 = from main 
| eval decodedURL = normalizeDecodeURL(url, $raw -> trim($raw, " "), $decoded -> substr($decoded, 0, 100))

This search:

  • Creates a field called decodedURL
  • Uses the custom function normalizeDecodeURL
  • For the first function parameter, specifies a field in the events called url
  • For the second function parameter, specifies a lambda expression that takes the original URL and trims any spaces before and after the URL
  • For the third function parameter, specifies a lambda expression that takes the decoded URL and returns the first 100 characters of the URL string

See also

Related information
Types of expressions
Last modified on 30 October, 2024
Field templates in expressions   About Splunk regular expressions

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters