Splunk® Enterprise

Search Manual

Types of expressions

Expressions are widely used in the Search Processing Language (SPL). Expressions produce a value and can be composed of literals, functions, fields, parameters, comparisons, and other expressions. You can use expressions with the following commands:

  • In an eval expression using the eval command to calculate or construct new values. For example:

    ...| eval diameter=circumference*3.14

  • In a filter using the where command. For example:

    ... | where status in("400", "401", "403", "404")

  • In an eval expression using the fieldformat command to change the appearance of a field value in the search results. For example:

    ... | fieldformat count=tostring(count, "commas")

You can combine literals or constants, variables such as fields, navigations or parameters, operators and functions to create expressions that can be used to fabricate new values or predicate expressions.

Predicate expressions are a unique type of expression. See Predicate expressions.

Expressions quick reference

The following table describes the type of expressions that you can use with SPL:

Expression type Description Examples Output
String literal A regular string value. String values must be enclosed in double quotation marks.

You can use string templates in string literal expressions. See String templates in expressions.

"surname"
"C:\\windows"
"C:\\windows\temp"
surname
C:\windows
C:\windows   emp
The \t in the path is interpreted as a tab. To avoid this you must escape the backslash. For example:
"C:\\windows\\temp"
Boolean literal A Boolean value. The only valid Boolean values are true and false.
true
false
true
false
Number literal A number value or a numeric expression.
2048
5-4
2048
1
Null literal A null value is the intentional absence of any object value. You can use a null literal to set a field to null, which removes the field.
null
 
Field The name of a field in your data.

Field names cannot contain square brackets [ ].

You can use field templates in field expressions. See Field templates in expressions.

client_ip
port
'5minutes'
'status-code'
avg(bytes/1024)
...| eval '${city}' = 456
When a field name is included in an expression, the field values are used when the expression is resolved.







The field name bytes is part of this binary expression.

The field template '${city}' is resolved when the eval command is processed.

Assignment Uses the equal sign ( = ) to assign the results of an <expression> to a <field>. If the field exists in the incoming search results, the values in that field are replaced. Otherwise a field is created in the outgoing search results.


The syntax is:
<field>=<expression>

speed=distance/time
'low-category' = lower(categoryId)
speed=65
'low-category' = arcade
Function A function call with one or more expressions.

TO DO - ONLY EVAL FUNCTIONS OR STATS AS WELL?


The syntax is:
function_name ( <expression> [, <expression> ]... )

avg(size)
case(status = 200, "OK", status = 404, "Not found", status = 500, "Internal Server Error")
When a function is included in an expression, the results of the function are used when the expression is resolved.
Predicate An expression that returns either TRUE or FALSE.

TO DO - eval x=(true)

See Predicate expressions for descriptions and examples of valid predicates that you can use.
true
false
Unary An operation with only one argument. Primarily used with unary minus to change the sign of its argument. A positive number becomes a negative, and a negative number becomes a positive. Use a space between the sign and the argument.


The syntax is: [ + | - ] <expression>

- discount_amount
- (.20)
-discount_amount
-.20
Binary An operation with two arguments. A common binary expression is a + b, which is the addition operator ( + ) surrounded by two arguments, or operands.


The syntax is:
<expression> <binary-operator> <expression>


Valid binary operators are:
addition ( + )
subtraction ( - )
division ( / )
multiplication ( * )
percent ( % )
concatenation ( + )

5 + 12
bytes/1024
surname+", "+firstname
When a binary operation is included in an expression, the results of the operation are used when the expression is resolved.
Lambda. - NO A function literal written in a concise form. A function literal is a function that is not declared but passed directly as an expression. Lambda expressions use the lambda symbol ( -> ).


Use a lambda expression as a parameter for a function. See Lambda expressions.

( ) -> 1 + 2
$a -> $a + 10
$a -> { $z = 1; return $a + $z } 
($a, $b) -> $a + $b 
($a, $b) -> { $z = $a + $b; return $z }
($a) -> { $c=$a*2; $d=$a*4; return $c+$d }

See also

Related information
Predicate expressions
Last modified on 16 December, 2024
Use CASE() and TERM() to match phrases   Boolean expressions

This documentation applies to the following versions of Splunk® Enterprise: 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters