Compatibility Quick Reference for SPL2 evaluation functions
An SPL2 profile maps to a set of SPL2 commands and functions that are used by a given product. See SPL2 compatibility profiles.
The following table shows which SPL2 evaluation functions are supported for each product profile:
| Supported functions and syntax | Description | splunkd 1 profile |
edge Processor profile |
ingest Processor profile |
|---|---|---|---|---|
| abs(<num>) | Returns the absolute value of a number. | Yes | Yes | Yes |
| acos(<x>) | Computes the arc cosine of x.
|
Yes | Yes | Yes |
| acosh(<x>) | Computes the arc hyperbolic cosine of x.
|
Yes | Yes | Yes |
| asin(<x>) | Computes the arc sine of x.
|
Yes | Yes | Yes |
| asinh(<x>) | Computes the arc hyperbolic sine of x.
|
Yes | Yes | Yes |
| atan(<x>) | Computes the arc tangent of x.
|
Yes | Yes | Yes |
| atan2(<y>,<x>) | Computes the arc tangent of y,x.
|
Yes | Yes | Yes |
| atanh(<x>) | Computes the arc hyperbolic tangent of x.
|
Yes | Yes | Yes |
| case(<condition>,<value>, ...) | Accepts alternating conditions and values. Returns the first value for which the condition evaluates to TRUE. | Yes | Yes | Yes |
| ceiling(<num>)or ceil(<num>) | Rounds a number up to the next highest integer. | Yes | ||
| cidrmatch(<cidr>,<ip>) | Returns TRUE or FALSE based on whether an IP address matches a CIDR notation. | Yes | Yes | Yes |
| cluster(<field>,<threshold>,<match>,<delims>) | Generates a cluster label, in the form of a number, for each event based on how similar the events are to each other. | Yes | ||
| coalesce(<values>) | Takes one or more values and returns the first value that is not NULL. | Yes | Yes | Yes |
| cos(<x>) | Computes the cosine of an angle of x radians.
|
Yes | Yes | Yes |
| cosh(<x>) | Computes the hyperbolic cosine of x radians.
|
Yes | Yes | Yes |
| exact(<expression>) | Returns the result of a numeric eval calculation with a larger amount of precision in the formatted output. | Yes | ||
| exp(<num>) | Returns the exponential function eX of a number.
|
Yes | Yes | Yes |
| filter(<values>, <predicate>) | Iterates over the values in a JSON array and copies the values that match the specified <predicate> into a new array. | Yes | Yes | Yes |
| floor(<num>) | Rounds a number down to the nearest whole integer. | Yes | ||
| hypot(<x>,<y>) | Computes the hypotenuse of a triangle. | Yes | Yes | Yes |
| if(<predicate>,<true_value>,<false_value>) | If the <predicate> expression evaluates to TRUE, returns the <true_value>. Otherwise the function returns the <false_value>.
|
Yes | Yes | Yes |
| in(<value>,<list>) | Returns TRUE if one of the values in the list matches a value that you specify. | Yes | Yes | Yes |
| ipmask(<mask>,<IP>) | Generates a new masked IP address by applying a mask to a IPv4 address. | Yes | Yes | Yes |
| isbool(<value>) | Returns TRUE if the value is Boolean. | Yes | Yes | Yes |
| isint(<value>) | Returns TRUE if the value is an integer. | Yes | Yes | Yes |
| isnotnull(<value>) | Returns TRUE if the value is not NULL. | Yes | Yes | Yes |
| isnull(<value>) | Returns TRUE if the value is NULL. | Yes | Yes | Yes |
| isnum(<value>) | Returns TRUE if the value is a number. | Yes | Yes | Yes |
| isstr(<value>) | Returns TRUE if the value is a string. | Yes | Yes | Yes |
| json_append(<json>, <path_value_pairs>) | Appends elements to the contents of a valid JSON object. | Yes | Yes | Yes |
| json_array(<values>) | Creates a JSON array using a list of values. | Yes | Yes | Yes |
| json_array_to_mv(<json_array>, <boolean>) | Maps the elements of a JSON array to a multivalued field. | Yes | Yes | Yes |
| json_extend(<json>, <path_value_pairs>) | Extends the contents of a valid JSON object with the values of an array. | Yes | Yes | Yes |
| json_extract(<field>,<paths>) | Returns a value from a field and zero or more paths. The value is returned in either a JSON array, or a Splunk software native type value. | Yes | Yes | Yes |
| json_extract_exact(<json>, <keys>) | Returns Splunk software native type values from a piece of JSON by matching literal strings in the event and extracting the strings as keys. | Yes | Yes | Yes |
| json_keys(<json>) | Returns the keys from the key-value pairs in a JSON object. The keys are returned as a JSON array. | Yes | Yes | Yes |
| json_object(<key>,<value>,...) | Creates a new JSON object from members of key-value pairs. | Yes | Yes | Yes |
| json_set(<field>,<path_value_pairs>) | Inserts or overwrites values for a JSON node with the path and value pairs provided and returns an updated JSON object. | Yes | Yes | Yes |
| json_set_exact(<json>, <key_value_pairs>) | Generates or overwrites a JSON object using the key-value pairs specified. | Yes | Yes | Yes |
| json_valid(<field>) | Evaluates whether a JSON object uses valid JSON syntax and returns either TRUE or FALSE. | Yes | Yes | Yes |
| len(<str>) | Returns the character length of a string. | Yes | Yes | Yes |
| like(<str>,<pattern>) | Returns TRUE if the string value matches the pattern. | Yes | Yes | Yes |
| ln(<num>) | Returns the natural logarithm of a number. | Yes | Yes | Yes |
| log(<num>,<base>) | Returns the logarithm of a number using a base. The base is optional, and if omitted the log function uses base 10. | Yes | Yes | Yes |
| lower(<str>) | Converts a string to lowercase. | Yes | Yes | Yes |
| ltrim(<str>,<trim_chars>) | Removes the trim characters from the left side of the string. | Yes | Yes | Yes |
| map(<values>, <mapper>) | Iterates over the values in a JSON array and performs an operation on each value in the array. | Yes | Yes | Yes |
| match(<str>,<regex>) | Returns TRUE if the regular expression finds a match against any substring of the string value. Otherwise returns FALSE. | Yes using PCRE |
Yes using RE2 |
Yes using RE2 |
| max(<values>) | Returns the maximum of the string or numeric values. | Yes | ||
| md5(<str>) | Computes and returns the MD5 hash of a string value. | Yes | Yes | Yes |
| min(<values>) | Returns the minimum of the string or numeric values. | Yes | ||
| mvappend(<values>) | Returns a single multivalue result from a list of values. | Yes | Yes | Yes |
| mvcount(<mv>) | Returns the count of the number of values in the specified multivalue field. | Yes | Yes | Yes |
| mvdedup(<mv>) | Removes all of the duplicate values from a multivalue field. | Yes | Yes | Yes |
| mvfilter(<predicate>) | Filters a multivalue field based on a predicate expression. The expression can reference only one field. | Yes | ||
| mvfind(<mv>,<regex>) | Returns the index for the first value in a multivalue field that matches a regular expression. | Yes | Yes | Yes |
| mvindex(<mv>,<start>,<end>) | Returns a subset of the multivalue field using the start and end index values. | Yes | Yes | Yes |
| mvjoin(<mv>,<delim>) | Concatenates the individual values within the multivalue field using the value of the delimiter as a separator. | Yes | Yes | Yes |
| mvrange(<start>,<end>,<step>) | Creates a multivalue field based on a range of specified numbers. | Yes | Yes | Yes |
| mvsort(<mv>) | Returns the values of a multivalue field sorted lexicographically. | Yes | ||
| mvzip(<mv_left>,<mv_right>,<delim>) | Combines the values in two multivalue fields. Stitches together the first value in each field, then the second value in each field, and so on. The delimiter is used to specify a delimiting character to join each pair of values. | Yes | ||
| mv_to_json_array(<field>,<infer_types>) | Maps the elements of a multivalue field to a JSON array. | Yes | Yes | Yes |
| now() | Returns the time that the search was started. | Yes | ||
| null() | This function takes no arguments and returns NULL. | Yes | ||
| nullif(<value1>,<value2>) | Compares two values and returns NULL if <value1> = <value2>. Otherwise it returns <value1>. | Yes | ||
| object_to_array(<object>,<key>,<value>) | Converts data that is in an object format into an array format. | Yes | ||
| pi() | Returns the constant pi to 11 digits of precision. | Yes | Yes | Yes |
| pow(<num>,<exp>) | Returns a number to the power of the exponent. | Yes | Yes | Yes |
| printf(<format>,<values>) | Builds a string value, based on a string format and the values specified. | Yes | ||
| random() | Returns a pseudo-random integer ranging from 0 to 231-1. | Yes | Yes | Yes |
| reduce(<values>, <initialValue>, <accumulator>, <finalizer>) | Iterates over the values in a JSON array and performs an accumulation operation. | Yes | Yes | Yes |
| relative_time(<time>,<specifier>) | Takes a UNIX time and a relative time specifier and returns the UNIX time value of the specifier applied to the time. | Yes | Yes | Yes |
| replace(<str>,<regex>,<replacement>) | Substitutes the replacement string for every occurrence of the regular expression in the string. | Yes using PCRE |
Yes using RE2 |
Yes using RE2 |
| round(<num>,<precision>) | Returns a number rounded to the decimal places specified by the precision. The default is to round to an integer. | Yes | ||
| rtrim(<str>,<trim_chars>) | Removes the trim characters from the right side of the string. | Yes | Yes | Yes |
| searchmatch(<search_str>) | Returns TRUE if the event matches the search string. | Yes | ||
| sha1(<str>) | Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-1 hash function. | Yes | Yes | Yes |
| sha256(<str>) | Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-256 hash function. | Yes | Yes | Yes |
| sha512(<str>) | Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-512 hash function. | Yes | Yes | Yes |
| sigfig(<num>) | Rounds a number to the appropriate number of significant figures. | Yes | ||
| sin(<x>) | Computes the sine of x.
|
Yes | Yes | Yes |
| sinh(<x>) | Computes the hyperbolic sine of x.
|
Yes | Yes | Yes |
| spath(<value>,<path>) | Extracts information from the structured data formats XML and JSON. | Yes | Yes | Yes |
| split(<str>,<delim>) | Splits the string values on the delimiter and returns the string values as a multivalue field. | Yes | Yes | Yes |
| sqrt(<num>) | Returns the square root of a number. | Yes | Yes | Yes |
| strftime(<time>,<format>) | Takes a UNIX time value and renders the time as a string using the format specified. The UNIX time must be in seconds. | Yes | Yes | Yes |
| strptime(<str>,<format>) | Takes a human readable time, represented by a string, and parses the time into a UNIX timestamp using the format. | Yes | Yes | Yes |
| substr(<str>,<start>,<length>) | Returns a substring of a string, beginning at the start index. The length of the substring specifies the number of characters to return. | Yes | Yes | Yes |
| tan(<x>) | Computes the tangent of x.
|
Yes | Yes | Yes |
| tanh(<x>) | Computes the hyperbolic tangent of x.
|
Yes | Yes | Yes |
| time() | Returns the wall-clock time, in the UNIX time format, with microsecond resolution. | Yes | Yes | Yes |
| tojson(<internal_fields>) | Returns a JSON object representation of events or search results. | Yes | Yes | Yes |
| tonumber(<str>,<base>) | Converts a string to a number. The base is optional. If not specified, base 10 is used. | Yes | Yes | Yes |
| tostring(<value>,<format>) | Converts a value to a string using the specified format. | Yes | Yes | Yes |
| trim(<str>,<trim_chars>) | Removes the trim characters from both sides of the string. | Yes | Yes | Yes |
| typeof(<value>) | Returns a string that indicates the field type, such as Number, String, Boolean, and so forth. | Yes | ||
| upper(<str>) | Returns a string in uppercase. | Yes | Yes | Yes |
| urldecode(<url>) | Returns a URL as an unescaped or decoded URL string. | Yes | ||
| validate(<condition>,<value>,...) | Takes a list of conditions and values and returns the value that corresponds to the condition that evaluates to FALSE. This function defaults to NULL if all conditions evaluate to TRUE. | Yes |
1 The splunkd profile is currently used by the Splunk Enterprise SPL2-based app development beta and the Search tab of the Edge Processor solution.
See also
- Additional compatibility information
- Compatibility Quick Reference for SPL2 commands
- SPL2 compatibility profiles
- Edge Processor information
- SPL2 evaluation functions for Edge Processor pipelines
- Regular expression syntax for Edge Processor pipelines
- Ingest Processor information
- SPL2 evaluation functions for Ingest Processor pipelines
- Regular expression syntax for Ingest Processor pipelines
- SPL2 information
- Quick Reference for SPL2 eval functions
- Understanding SPL2 Syntax
Last modified on 09 October, 2024
| Compatibility Quick Reference for SPL2 commands | Compatibility library for SPL commands as functions |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!