Informational functions
The following list contains the functions that you can use to return information about a value.
For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.
isbool(<value>)
Description
This function takes one argument <value> and evaluates whether <value> is a Boolean data type. The function returns TRUE if <value> is Boolean.
Usage
Use this function with other functions that return Boolean data types, such as cidrmatch
and mvfind
.
This function cannot be used to determine if field values are "true" or "false" because field values are either string or number data types. Instead, use syntax such as <fieldname>=true OR <fieldname>=false
to determine field values.
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
isint(<value>)
Description
This function takes one argument <value> and returns TRUE if <value> is an integer.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
Basic examples
The following example uses the isint
function with the if
function. A field, "n", is added to each result with a value of "int" or "not int", depending on the result of the isint
function. If the value of "field" is a number, the isint
function returns TRUE and the value adds the value "int" to the "n" field.
... | eval n=if(isint(field),"int", "not int")
The following example shows how to use the isint
function with the where
command.
... | where isint(field)
isnotnull(<value>)
Description
This function takes one argument <value> and returns TRUE if <value> is not NULL.
Usage
This function is useful for checking for whether or not a field contains a value.
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
Basic examples
The following example uses the isnotnull
function with the if
function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isnotnull
function. If the value of "field" is a number, the isnotnull
function returns TRUE and the value adds the value "yes" to the "n" field.
... | eval n=if(isnotnull(field),"yes","no")
The following example shows how to use the isnotnull
function with the where
command.
... | where isnotnull(field)
isnull(<value>)
Description
This function takes one argument <value> and returns TRUE if <value> is NULL.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
Basic examples
The following example uses the isnull
function with the if
function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isnull
function. If there is no value for "field" in a result, the isnull
function returns TRUE and adds the value "yes" to the "n" field.
... | eval n=if(isnull(field),"yes","no")
The following example shows how to use the isnull
function with the where
command.
... | where isnull(field)
isnum(<value>)
Description
This function takes one argument <value> and returns TRUE if <value> is a number.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
Basic examples
The following example uses the isnum
function with the if
function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isnum
function. If the value of "field" is a number, the isnum
function returns TRUE and the value adds the value "yes" to the "n" field.
... | eval n=if(isnum(field),"yes","no")
The following example shows how to use the isnum
function with the where
command.
... | where isnum(field)
isstr(<value>)
Description
This function takes one argument <value> and returns TRUE if <value> is a string.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
Basic examples
The following example uses the isstr
function with the if
function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isstr
function. If the value of "field" is a string, the isstr
function returns TRUE and the value adds the value "yes" to the "n" field.
... | eval n=if(isstr(field),"yes","no")
The following example shows how to use the isstr
function with the where
command.
... | where isstr(field)
typeof(<value>)
Description
This function takes one argument <value> and returns the data type of the argument.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
Basic examples
The following example takes one argument and returns a string representation of its type. This example returns "NumberStringBoolInvalid"
... | eval n=typeof(12) + typeof("string") + typeof(1==2) + typeof(badfield)
The following example creates a single result using the makeresults
command.
| makeresults
For example:
_time |
---|
2018-08-14 14:00:15 |
To determine the data type of the _time
field, use the eval
command with the typeof
function. For example:
| makeresults | eval t=typeof(_time)
The results are:
_time | t |
---|---|
2018-08-14 14:00:15 | Number |
Date and Time functions | JSON functions |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 8.0.8, 8.1.0, 8.1.10, 8.1.11
Feedback submitted, thanks!