Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Download topic as PDF

Text functions

The following list contains the functions that you can use with string values.

For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.

len(X)

Description

This function returns the character length of a string X.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

Suppose you have a set of results that looks something like this:


_time names
2020-01-09 16:35:14 buttercup
2020-01-09 16:35:14 rarity
2020-01-09 16:35:14 tenderhoof
2020-01-09 16:35:14 dash
2020-01-09 16:35:14 mistmane

You can determine the length of the values in the names field using the len function:

... | eval length=len(names)


The results show a count of the character length of the values in the names field:

_time length names
2020-01-09 16:35:14 9 buttercup
2020-01-09 16:35:14 6 rarity
2020-01-09 16:35:14 10 tenderhoof
2020-01-09 16:35:14 4 dash
2020-01-09 16:35:14 8 mistmane

lower(X)

Description

This function takes one string argument and returns the string in lowercase.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

You can use this function on multivalue fields.

Basic example

The following example returns the value provided by the field username in lowercase.

... | eval username=lower(username)


ltrim(X,Y)

Description

This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the left side. If Y is not specified, spaces and tabs are removed.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example trims the leading spaces and all of the occurrences of the letter Z from the left side of the string. The value that is returned is x="abcZZ ".

... | eval x=ltrim(" ZZZZabcZZ ", " Z")

replace(X,Y,Z)

Description

This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

To replace a backslash ( \ ) character, you must escape the backslash twice. This is because the replace function occurs inside an eval expression. The eval expression perform one level of escaping before passing the regular expression to PCRE. Then PCRE performs its own escaping. See SPL and regular expressions.

Basic example

The following example returns date, with the month and day numbers switched. If the input is 1/14/2017 the return value would be 14/1/2017.

... | eval n=replace(date, "^(\d{1,2})/(\d{1,2})/", "\2/\1/")

rtrim(X,Y)

Description

This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the right side. If Y is not specified, spaces and tabs are removed.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example returns n="ZZZZabc".

... | eval n=rtrim(" ZZZZabcZZ ", " Z")


spath(X,Y)

Description

This function takes two arguments, an input source field X and an spath expression Y, that is the XML or JSON formatted location path to the value that you want to extract from X.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

If Y is a literal string, it needs quotes, spath(X,"Y"). If Y is a field name (with values that are the location paths), it doesn't need quotes. This might result in a multivalued field. Read more about the spath command.

Basic example

The following example returns the values of locDesc elements.

... | eval locDesc=spath(_raw, "vendorProductSet.product.desc.locDesc")


The following example returns the hashtags from a twitter event.

index=twitter | eval output=spath(_raw, "entities.hashtags")


substr(X,Y,Z)

Description

This function takes either two or three arguments. The required arguments are X, a string, and Y, a numeric. Z is optional and a numeric. This function returns a substring of X, starting at the index specified by Y with the number of characters specified by Z. If Z is not provided, the function returns the rest of the string.

Usage

The indexes follow SQLite semantics; they start at 1. Negative indexes can be used to indicate a start from the end of the string.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example concatenates "str" and "ing" together, returning "string":

... | eval n=substr("string", 1, 3) + substr("string", -3)


trim(X,Y)

Description

This function takes one or two arguments X and Y and returns X with the characters in Y trimmed from both sides. If Y is not specified, spaces and tabs are removed.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example returns "abc".

... | eval n=trim(" ZZZZabcZZ ", " Z")


upper(X)

Description

This function takes one string argument and returns the string in uppercase.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

You can use this function on multivalue fields.

Basic example

The following example returns the value provided by the field username in uppercase.

... | eval n=upper(username)

urldecode(X)

Description

This function takes one URL string argument X and returns the unescaped or decoded URL string.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example returns "http://www.splunk.com/download?r=header".

... | eval n=urldecode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader")

Last modified on 05 May, 2020
PREVIOUS
Statistical eval functions 		  NEXT
Trig and Hyperbolic functions

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 8.0.2, 8.0.0, 8.0.1, 8.0.3, 8.0.4, 8.0.5

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters