Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Text functions

The following list contains the functions that you can use with string values.

For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.

len(<str>)

Description

This function returns a count of the UTF-8 code points in a string. While the character length and number of code points are identical for some strings in English, the count is not the same for all strings including strings in other languages.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

Suppose you have a set of results that looks something like this:

_time names
2020-01-09 16:35:14 buttercup
2020-01-09 16:35:14 rarity
2020-01-09 16:35:14 tenderhoof
2020-01-09 16:35:14 dash
2020-01-09 16:35:14 mistmane

You can determine the length of the values in the names field using the len function:

... | eval length=len(names)


The results show a count of the character length of the values in the names field:

_time length names
2020-01-09 16:35:14 9 buttercup
2020-01-09 16:35:14 6 rarity
2020-01-09 16:35:14 10 tenderhoof
2020-01-09 16:35:14 4 dash
2020-01-09 16:35:14 8 mistmane

lower(<str>)

Description

This function takes one string argument and returns the string in lowercase.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

You can use this function on multivalue fields.

Basic example

The following example returns the value provided by the field username in lowercase.

... | eval username=lower(username)

ltrim(<str>,<trim_chars>)

Description

This function removes characters from the left side of a string.

Usage

The <str> argument can be the name of a string field or a string literal.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

The <trim_chars> argument is optional. If not specified, spaces and tabs are removed from the left side of the string.

This function is not supported on multivalue fields.

Basic example

The following example trims the leading spaces and all of the occurrences of the letter Z from the left side of the string. The value that is returned is x="abcZZ ".

... | eval x=ltrim(" ZZZZabcZZ ", " Z")

The following example removes the dollar sign ( $ ) from the results for the NET_COST field.

... | eval cost=ltrim(NET_COST, "$")

replace(<str>,<regex>,<replacement>)

Description

This function substitutes the replacement string for every occurrence of the regular expression in the string.

Usage

The <str> argument can be the name of a string field or a string literal.

The <replacement> argument can also reference groups that are matched in the <regex> using perl-compatible regular expressions (PCRE) syntax.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

To replace a backslash ( \ ) character, you must escape the backslash twice. This is because the replace function occurs inside an eval expression. The eval expression performs one level of escaping before passing the regular expression to PCRE. Then PCRE performs its own escaping. See SPL and regular expressions.

Basic example

The following example returns the values in the date field, with the month and day numbers switched. If the input is 1/14/2023 the return value would be 14/1/2023.

... | eval n=replace(date, "^(\d{1,2})/(\d{1,2})/", "\2/\1/")

rtrim(<str>,<trim_chars>)

Description

This function removes the trim characters from the right side of the string.

Usage

The <str> argument can be the name of a string field or a string literal.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

The <trim_chars> argument is optional. If not specified, spaces and tabs are removed from the right side of the string.

This function is not supported on multivalue fields.

Basic example

The following example trims the leading spaces and all of the occurrences of the letter Z from the right side of the string. The value returned is ZZZZabc.

... | eval n=rtrim(" ZZZZabcZZ ", " Z")

spath(<value>,<path>)

Description

Use this function to extract information from the structured data formats XML and JSON.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

The <value> is an input source field.

The <path> is an spath expression for the location path to the value that you want to extract from.

  • If <path> is a literal string, you need to enclose the string in double quotation marks.
  • If <path> is a field name, with values that are the location paths, the field name doesn't need quotation marks. Using a field name for <path> might result in a multivalue field.

This function is not supported on multivalue fields.

Basic example

The following example returns the values of locDesc elements.

... | eval locDesc=spath(_raw, "vendorProductSet.product.desc.locDesc")


The following example returns the hashtags from a twitter event.

index=twitter | eval output=spath(_raw, "entities.hashtags")

substr(<str>,<start>,<length>)

Description

This function returns a substring of a string, beginning at the start index. The length of the substring specifies the number of character to return.

Usage

The <str> argument can be the name of a string field or a string literal.

The indexes follow SQLite semantics; they start at 1. Negative indexes can be used to indicate a start from the end of the string.

The <length> is optional, and if not specified returns the rest of the string.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example concatenates "str" and "ing" together, returning "string":

... | eval n=substr("string", 1, 3) + substr("string", -3)

trim(<str>,<trim_chars>)

Description

This function removes the trim characters from both sides of the string.

Usage

The <str> argument can be the name of a string field or a string literal.

The <trim_chars> argument is optional. If not specified, spaces and tabs are removed from both sides of the string.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example trims the leading spaces and all of the occurrences of the letter Z from the left and right sides of the string. The value returned is abc.

... | eval n=trim(" ZZZZabcZZ ", " Z")

upper(<str>)

Description

This function returns a string in uppercase.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

You can use this function on multivalue fields.

Basic example

The following example returns the value provided by the field username in uppercase.

... | eval n=upper(username)

urldecode(<url>)

Description

This function takes one URL string argument X and returns the unescaped or decoded URL string.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example returns "http://www.splunk.com/download?r=header".

... | eval n=urldecode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader")

See also

Related functions
tostring
Last modified on 08 July, 2024
Statistical eval functions   Trig and Hyperbolic functions

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0, 8.1.10, 8.1.12, 8.1.14, 8.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters