Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Evaluation functions

Use the evaluation functions to evaluate an expression, based on your events, and return a result. See the Quick reference section for the supported functions and their syntax.

Commands

You can use evaluation functions with the eval, fieldformat, and where commands, and as part of evaluation expressions.

Usage

  • All functions that accept strings can accept literal strings or any field. 
  • All functions that accept numbers can accept literal numbers or any numeric field.

String arguments

For most evaluation functions, when a string argument is expected, you can specify either an explicit string or a field name. The explicit string is denoted by double quotation marks. In other words, when the function syntax specifies a string you can specify any expression that results in a string. For example, name + "server".​

Nested functions

You can specify a function as an argument to another function.

In the following example, the cidrmatch function is used as the first argument in the if function.

... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")


The following example shows how to use the true() function to provide a default to the case function.

... | eval error=case(status == 200, "OK", status == 404, "Not found", true(), "Other")


Supported functions and syntax

The following table is a quick reference of the supported evaluation functions. This table lists the syntax and provides a brief description for each of the functions. Use the links in the table to learn more about each function examples, and to see examples.

Type of function Supported functions and syntax Description
Comparison and Conditional functions case(X,"Y",...) Accepts alternating conditions and values. Returns the first value for which the condition evaluates to TRUE.
cidrmatch("X",Y) Returns TRUE or FALSE based on whether an IP address matches a CIDR notation.
coalesce(X,...) This function takes an arbitrary number of arguments and returns the first value that is not NULL.
false() Returns FALSE.
if(X,Y,Z) If the condition X evaluates to TRUE, returns Y, otherwise returns Z.
in(VALUE-LIST) The function returns TRUE if one of the values in the list matches a value in the field you specify.
like(TEXT, PATTERN) Returns TRUE if TEXT matches PATTERN.
match(SUBJECT, "REGEX") Returns TRUE or FALSE based on whether REGEX matches SUBJECT
null() This function takes no arguments and returns NULL.
nullif(X,Y) This function is used to compare fields. The function takes two arguments, X and Y, and returns NULL if X = Y. Otherwise it returns X.
searchmatch(X) Use this function to return TRUE if the search string (X) matches the event.
true() Returns TRUE.
validate(X,Y,...) Use this function to return the string Y corresponding to the first expression X that evaluates to FALSE. This function is the opposite of the case function.
Conversion functions printf("format",arguments) Creates a formatted string based on a format description that you provide.
tonumber(NUMSTR,BASE) Converts a string to a number.
tostring(X,Y) Converts the input, such as a number or a Boolean value, to a string.
Cryptographic functions md5(X) Computes the md5 hash for the value X.
sha1(X) Computes the secure hash of a string value X based on the FIPS compliant SHA-1 hash function.
sha256(X) Computes the secure hash of a string value X based on the FIPS compliant SHA-256 hash function.
sha512(X) Computes the secure hash of a string value X based on the FIPS compliant SHA-512 hash function.
Date and Time functions now() Returns the time that the search was started.
relative_time(X,Y) Adjusts the time by a relative time specifier.
strftime(X,Y) Takes a UNIX time and renders it into a human readable format.
strptime(X,Y) Takes a human readable time and renders it into UNIX time.
time() The time that eval function was computed. The time will be different for each event, based on when the event was processed.
Informational functions isbool(X) Returns TRUE if the field value is Boolean.
isint(X) Returns TRUE if the field value is an integer.
isnotnull(X) Returns TRUE if the field value is not NULL.
isnull(X) Returns TRUE if the field value is NULL.
isnum(X) Returns TRUE if the field value is a number.
isstr(X) Returns TRUE if the field value is a string.
typeof(X) Returns a string that indicates the field type, such as Number, String, Boolean, and so forth
Mathematical functions abs(X) Returns the absolute value.
ceiling(X) Rounds the value up to the next highest integer.
exact(X) Returns the result of a numeric eval calculation with a larger amount of precision in the formatted output.
exp(X) Returns the exponential function eX.
floor(X) Rounds the value down to the next lowest integer.
ln(X) Returns the natural logarithm.
log(X,Y) Returns the logarithm of X using Y as the base. If Y is omitted, base 10 is used.
pi() Returns the constant pi to 11 digits of precision.
pow(X,Y) Returns X to the power of Y, XY.
round(X,Y) Returns X rounded to the amount of decimal places specified by Y. The default is to round to an integer.
sigfig(X) Rounds X to the appropriate number of significant figures.
sqrt(X) Returns the square root of the value.
Multivalue eval functions commands(X) Returns a multivalued field that contains a list of the commands used in X.
mvappend(X,...) Returns a multivalue result based on all of values specified.
mvcount(MVFIELD) Returns the count of the number of values in the specified field.
mvdedup(X) Removes all of the duplicate values from a multivalue field.
mvfilter(X) Filters a multivalue field based on an arbitrary Boolean expression X.
mvfind(MVFIELD,"REGEX") Finds the index of a value in a multivalue field that matches the REGEX.
mvindex(MVFIELD,STARTINDEX,ENDINDEX) Returns a set of values from a multivalue field described by STARTINDEX and ENDINDEX.
mvjoin(MVFIELD,STR) Takes all of the values in a multivalue field and appends them together delimited by STR.
mvrange(X,Y,Z) Creates a multivalue field with a range of numbers between X and Y, incrementing by Z.
mvsort(X) Returns the values of a multivalue field sorted lexicographically.
mvzip(X,Y,"Z") Takes two multivalue fields, X and Y, and combines them by stitching together the first value of X with the first value of field Y, then the second with the second, and so on.
split(X,"Y") Returns a mv field splitting X by the delimited character Y.
Statistical eval functions max(X,...) Returns the maximum of the string or numeric values.
min(X,...) Returns the minimum of the string or numeric values.
random() Returns a pseudo-random integer ranging from zero to 231-1.
Text functions len(X) Returns the count of the number of characters (not bytes) in the string.
lower(X) Converts the string to lowercase.
ltrim(X,Y) Trims the characters represented in Y from the left side of the string.
replace(X,Y,Z) Returns a string formed by substituting string Z for every occurrence of regex string Y in string X.
rtrim(X,Y) Returns X with the characters in Y trimmed from the right side.
spath(X,Y) Extracts a value from a structured data type (XML or JSON) in X based on a location path in Y.
substr(X,Y,Z) Returns a substring from X based on the starting position Y and the length Z.
trim(X,Y) Trims the characters represented in Y from both sides of the string X.
upper(X) Returns the string in uppercase.
urldecode(X) Replaces URL escaped characters with the original characters.
Trigonometry and Hyperbolic functions acos(X) Computes the arc cosine of X.
acosh(X) Computes the arc hyperbolic cosine of X.
asin(X) Computes the arc sine of X.
asinh(X) Computes the arc hyperbolic sine of X.
atan(X) Computes the arc tangent of X.
atan2(X,Y) Computes the arc tangent of X,Y.
atanh(X) Computes the arc hyperbolic tangent of X.
cos(X) Computes the cosine of an angle of X radians.
cosh(X) Computes the hyperbolic cosine of X radians.
hypot(X,Y) Computes the hypotenuse of a triangle.
sin(X) Computes the sine of X.
sinh(X) Computes the hyperbolic sine of X.
tan(X) Computes the tangent of X.
tanh(X) Computes the hyperbolic tangent of X.

See also

Functions:
Statistical and charting functions

Commands:
eval
fieldformat
where

Splunk Answers

Have questions? Visit Splunk Answers and search for a specific function or command.

Last modified on 26 September, 2018
Splunk SPL for SQL users   Comparison and Conditional functions

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters