This command is experimental and not currently supported by Splunk.
Similar to the eval operator, calls the python expression for each result, calculating the outfield. Uses python to evaluate.
mappy <outfield> = <python expression>
- Syntax: <field>
- Description: Specify a field name to save the output of the Python expression.
- python expression
- Syntax: <python expression>
- Description: An expression that uses a Python operation to calculate the result.
mappy command, which stands for 'map Py(thon)', is used similar to the eval operator. The difference is that
mappy uses the Python to evaluate the expression and calculate the output field.
It includes convenient packages for most common operations, such as re, sys, math, random, datetime, time, xml, lxml, StringIO, lxml.etree, platform, hashlib, difflib, base64, xml.sax.saxutils,etree. Does not allow Python expressions containing "open", "write", "read", or "import".
Example 1: Calculate math:
... | mappy score = int(_time) * random.randint(1,5)
Example 2: Similar to iconify:
... | mappy _icon = "hashlib.md5(_raw).hexdigest()"
Example 3: Data cleaning, make sure the value of the department field is one of the valid choices.
... | mappy department = "difflib.get_close_matches(department, ['engineering', 'marketing', 'sales'], cutoff=0)"
Example 4: Anonymize email addresses.
... | mappy _raw = "re.sub('(?i)([a-z0-9.-]+@[a-z0-9.-]+)', 'email@example.com', _raw)"
Example 5: Xpath extractions.
... | mappy author = etree.parse(StringIO.StringIO(_raw)).xpath("//bookstore/boot/@author")'
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the mappy command.
This documentation applies to the following versions of Splunk® Enterprise: 4.3