Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

reducepy

This command is experimental and not currently supported by Splunk.

Synopsis

Similar to Python's reduce function over all the search results.

Syntax

reducepy <python code:init> loop <python code:looping code> [by <field-list>]

Required arguments

init
Syntax: <init code>
Description: Specify initialization code to run.
loop
Syntax: loop <looping code>
Description: Specify the looping to apply over each search result.

Optional arguments

by clause
Syntax: by <field-list>
Description: Returns search results unique to the values of the specified field(s).

Description

Similar to Python's reduce function, applying looping code over each search result. Runs the initialization code, and then for each search result runs the looping code. The output is a search result with the final values of all the variables defined. If there is a by-clause, each unique set of field values has it's own local variable space and outputs its own search result with the final values of all the variables defined.

There is an internal 'count' variable keeping track of the number of results. Includes convenient packages for most common operations, such as re, sys, math, random, datetime, time, xml, lxml, StringIO, lxml.etree, platform, hashlib, difflib, base64, xml.sax.saxutils, etree. Does not allow Python expressions containing "open", "write", "read", or "import".

Examples

Example 1: Returns a search result for each unique source with a 'sum' field of the sum of all _times.

... | reducepy sum=0 loop sum += int(_time) by source

Example 2: Returns a search result for each unique source and host with an 'rsum' field of the sum of ratios of _times to the current time.

... | reducepy rsum=0 loop rsum += int(_time) / time.time() by source,host

See also

extract, iconify, mappy, rex, xmlkv, xmlunescape, xpath

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the reducepy command.

PREVIOUS
mappy
  NEXT
runshellscript

This documentation applies to the following versions of Splunk® Enterprise: 4.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters