Informational functions
The following list contains the functions that you can use to return information about a value.
For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.
isarray(<value>)
Description
This function takes one argument and evaluates whether the value is an array data type. The function returns TRUE
if the value is an array.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
You can use this function directly with the where
command in searches, but the eval
command can't directly accept a Boolean value. You must specify the function inside another function, such as the if
function, which can accept a Boolean value as an input.
Basic examples
The following search returns True
because [1, 2, 3]
is an array.
| makeresults
| eval result = if(isarray("[1, 2, 3]"), "True", "False")
The result of the following search is False
because 1
is not an array.
| makeresults
| eval result = if(isarray(1), "True", "False")
isbool(<value>)
Description
This function takes one argument and evaluates whether the value is a Boolean data type. The function returns TRUE
if the value is Boolean.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
Use this function with other functions that return Boolean data types, such as cidrmatch
and mvfind
.
This function cannot be used to determine if field values are "true" or "false" because field values are either string or number data types. Instead, use syntax such as <fieldname>=true OR <fieldname>=false
to determine field values.
You can use this function directly with the where
command in searches, but the eval
command can't directly accept a Boolean value. You must specify the function inside another function, such as the if
function, which can accept a Boolean value as an input.
Basic examples
The following search returns True
because 1==2
is Boolean.
| makeresults
| eval result = if(isbool(1==2), "True", "False")
The following search returns False
because the value a
is not Boolean.
| makeresults
| eval result = if(isbool(a), "True", "False")
isdouble(<value>)
Description
This function takes one argument and evaluates whether the value is a double data type. The function returns TRUE
if the value is a double value.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
You can use this function directly with the where
command in searches, but the eval
command can't directly accept a Boolean value. You must specify the function inside another function, such as the if
function, which can accept a Boolean value as an input.
Basic examples
The following search returns True
because the value 3.546
is a double.
| makeresults
| eval result = if(isdouble(3.546), "True", "False")
The following example returns False
because 1000000
is not a double.
... | eval result = if(isdouble(1000000), "True", "False")
isint(<value>)
Description
This function takes one argument and returns TRUE
if the value is an integer.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
You can use this function directly with the where
command in searches, but the eval
command can't directly accept a Boolean value. You must specify the function inside another function, such as the if
function, which can accept a Boolean value as an input.
Basic examples
The following example uses the isint
function with the if
function. A field, "n", is added to each result with a value of "int" or "not int", depending on the result of the isint
function. If the value of "field" is a number, the isint
function returns TRUE and the value adds the value "int" to the "n" field.
... | eval n=if(isint(field),"int", "not int")
The following example shows how to use the isint
function with the where
command.
... | where isint(field)
ismv(<value>)
Description
This function takes one argument and evaluates whether the field is a multivalue data type. The function returns TRUE
if the field is a multivalue.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
You can use this function directly with the where
command in searches, but the eval
command can't directly accept a Boolean value. You must specify the function inside another function, such as the if
function, which can accept a Boolean value as an input.
Basic examples
The following search returns True
because the my_multival
field is a multivalue.
| makeresults
| eval my_multival="one,two,three"
| makemv tokenizer="([^,]+),?" my_multival
| eval result = if(ismv(my_multival), "True", "False")
The search results look like this:
_time | my_multival | result |
---|---|---|
2024-12-11 00:49:31 | one | True |
two | ||
three |
isnotnull(<value>)
Description
This function takes one argument and returns TRUE
if the value is not NULL.
Usage
This function is useful for checking for whether or not a field contains a value.
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
You can use this function directly with the where
command in searches, but the eval
command can't directly accept a Boolean value. You must specify the function inside another function, such as the if
function, which can accept a Boolean value as an input.
Basic examples
The following example uses the isnotnull
function with the if
function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isnotnull
function. If the value of "field" is a number, the isnotnull
function returns TRUE and the value adds the value "yes" to the "n" field.
... | eval n=if(isnotnull(field),"yes","no")
The following example shows how to use the isnotnull
function with the where
command.
... | where isnotnull(field)
isnull(<value>)
Description
This function takes one argument and returns TRUE if the value is NULL..
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
You can use this function directly with the where
command in searches, but the eval
command can't directly accept a Boolean value. You must specify the function inside another function, such as the if
function, which can accept a Boolean value as an input.
Basic examples
The following example uses the isnull
function with the if
function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isnull
function. If there is no value for "field" in a result, the isnull
function returns TRUE and adds the value "yes" to the "n" field.
... | eval n=if(isnull(field),"yes","no")
The following example shows how to use the isnull
function with the where
command.
... | where isnull(field)
isnum(<value>)
Description
This function takes one argument and returns TRUE if the value is a number.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
Basic examples
The following example uses the isnum
function with the if
function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isnum
function. If the value of "field" is a number, the isnum
function returns TRUE and the value adds the value "yes" to the "n" field.
... | eval n=if(isnum(field),"yes","no")
The following example shows how to use the isnum
function with the where
command.
... | where isnum(field)
isobject(<value>)
Description
This function takes one argument and evaluates whether the value is an object. The function returns TRUE
if a string is a valid JSON object.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
You can use this function directly with the where
command in searches, but the eval
command can't directly accept a Boolean value. You must specify the function inside another function, such as the if
function, which can accept a Boolean value as an input.
Basic examples
The following example returns False
indicating that the cities
value isn't a valid JSON object.
| makeresults
| eval result = if(isobject("cities"), "True", "False")
The following example returns True
because the cities
object is a valid JSON object.
| makeresults
| eval result = if(isobject(json_object("cities", 6)), "True", "False")
Say you run the following search.
| makeresults
|eval is_an_object = if(isobject("{cities: \"3\"}"), "is object", "is not object")
Your results look like this.
_time | is_an_object |
---|---|
2024-12-19 21:49:04 | is not object |
isstr(<value>)
Description
This function takes one argument and returns TRUE if the value is a string.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
You can use this function directly with the where
command in searches, but the eval
command can't directly accept a Boolean value. You must specify the function inside another function, such as the if
function, which can accept a Boolean value as an input.
Basic examples
The following example uses the isstr
function with the if
function. A field, "n", is added to each result with a value of "yes" or "no", depending on the result of the isstr
function. If the value of "field" is a string, the isstr
function returns TRUE and the value adds the value "yes" to the "n" field.
... | eval n=if(isstr(field),"yes","no")
The following example shows how to use the isstr
function with the where
command.
... | where isstr(field)
typeof(<value>)
Description
This function takes one argument and returns the data type of the argument.
Usage
You can use this function with the eval
, fieldformat
, and where
commands, and as part of eval expressions.
Basic examples
The following example takes one argument and returns a string representation of its type. This example returns "NumberStringBoolInvalid"
... | eval n=typeof(12) + typeof("string") + typeof(1==2) + typeof(badfield)
The following example creates a single result using the makeresults
command.
| makeresults
For example:
_time |
---|
2018-08-14 14:00:15 |
To determine the data type of the _time
field, use the eval
command with the typeof
function. For example:
| makeresults | eval t=typeof(_time)
The results are:
_time | t |
---|---|
2018-08-14 14:00:15 | Number |
Date and Time functions | JSON functions |
This documentation applies to the following versions of Splunk® Enterprise: 9.4.0
Feedback submitted, thanks!