Splunk® Enterprise

Search Reference

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Informational functions

The following list contains the functions that you can use to return information about a value.

For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.

isbool(<value>)

Description

This function takes one argument <value> and evaluates whether <value> is a Boolean data type. The function returns TRUE if <value> is Boolean.

Usage

Use this function with other functions that return Boolean data types, such as cidrmatch and mvfind.

This function cannot be used to determine if field values are "true" or "false" because field values are either string or number data types. Instead, use syntax such as <fieldname>=true OR <fieldname>=false to determine field values.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.


isint(<value>)

Description

This function takes one argument <value> and returns TRUE if <value> is an integer.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example uses the isint function with the if function. A field, "n", is added to each result with a value of "int" or "not int", depending on the result of the isint function. If the value of "field" is a number, the isint function returns TRUE and the value adds the value "int" to the "n" field.

... | eval n=if(isint(field),"int", "not int")


The following example shows how to use the isint function with the where command.

... | where isint(field)


isnotnull(<value>)

Description

This function takes one argument <value> and returns TRUE if <value> is not NULL.

Usage

This function is useful for checking for whether or not a field contains a value.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example uses the isnotnull function with the if function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isnotnull function. If the value of "field" is a number, the isnotnull function returns TRUE and the value adds the value "yes" to the "n" field.

... | eval n=if(isnotnull(field),"yes","no")


The following example shows how to use the isnotnull function with the where command.

... | where isnotnull(field)


isnull(<value>)

Description

This function takes one argument <value> and returns TRUE if <value> is NULL.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example uses the isnull function with the if function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isnull function. If there is no value for "field" in a result, the isnull function returns TRUE and adds the value "yes" to the "n" field.

... | eval n=if(isnull(field),"yes","no")


The following example shows how to use the isnull function with the where command.

... | where isnull(field)

isnum(<value>)

Description

This function takes one argument <value> and returns TRUE if <value> is a number.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example uses the isnum function with the if function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isnum function. If the value of "field" is a number, the isnum function returns TRUE and the value adds the value "yes" to the "n" field.

... | eval n=if(isnum(field),"yes","no")


The following example shows how to use the isnum function with the where command.

... | where isnum(field)


isstr(<value>)

Description

This function takes one argument <value> and returns TRUE if <value> is a string.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example uses the isstr function with the if function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isstr function. If the value of "field" is a string, the isstr function returns TRUE and the value adds the value "yes" to the "n" field.

... | eval n=if(isstr(field),"yes","no")


The following example shows how to use the isstr function with the where command.

... | where isstr(field)

typeof(<value>)

Description

This function takes one argument <value> and returns the data type of the argument.

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example takes one argument and returns a string representation of its type. This example returns "NumberStringBoolInvalid"

... | eval n=typeof(12) + typeof("string") + typeof(1==2) + typeof(badfield)


The following example creates a single result using the makeresults command.

| makeresults

For example:

_time
2018-08-14 14:00:15

To determine the data type of the _time field, use the eval command with the typeof function. For example:

| makeresults | eval t=typeof(_time)

The results are:

_time t
2018-08-14 14:00:15 Number
Last modified on 15 October, 2024
Date and Time functions   JSON functions

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.12, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.1, 8.1.11, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters