This command is experimental and not currently supported by Splunk.
Similar to Python's reduce function over all the search results.
reducepy <python code:init> loop <python code:looping code> [by <field-list>]
- Syntax: <init code>
- Description: Specify initialization code to run.
- Syntax: loop <looping code>
- Description: Specify the looping to apply over each search result.
- by clause
- Syntax: by <field-list>
- Description: Returns search results unique to the values of the specified field(s).
Similar to Python's reduce function, applying looping code over each search result. Runs the initialization code, and then for each search result runs the looping code. The output is a search result with the final values of all the variables defined. If there is a by-clause, each unique set of field values has it's own local variable space and outputs its own search result with the final values of all the variables defined.
There is an internal 'count' variable keeping track of the number of results. Includes convenient packages for most common operations, such as re, sys, math, random, datetime, time, xml, lxml, StringIO, lxml.etree, platform, hashlib, difflib, base64, xml.sax.saxutils, etree. Does not allow Python expressions containing "open", "write", "read", or "import".
Example 1: Returns a search result for each unique source with a 'sum' field of the sum of all _times.
... | reducepy sum=0 loop sum += int(_time) by source
Example 2: Returns a search result for each unique source and host with an 'rsum' field of the sum of ratios of _times to the current time.
... | reducepy rsum=0 loop rsum += int(_time) / time.time() by source,host
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the reducepy command.
This documentation applies to the following versions of Splunk® Enterprise: 4.3