Types of expressions
Expressions are widely used in the Search Processing Language (SPL). Expressions produce a value and can be composed of literals, functions, fields, parameters, comparisons, and other expressions. You can use expressions with the following commands:
- In an eval expression using the
eval
command to calculate or construct new values. For example:...| eval diameter=circumference*3.14
- In a filter using the
where
command. For example:... | where status in("400", "401", "403", "404")
- In an eval expression using the
fieldformat
command to change the appearance of a field value in the search results. For example:... | fieldformat count=tostring(count, "commas")
You can combine literals or constants, variables such as fields, navigations or parameters, operators and functions to create expressions that can be used to fabricate new values or predicate expressions.
Expressions quick reference
The following table describes the type of expressions that you can use with SPL:
Expression type | Description | Examples | Output |
---|---|---|---|
String literal | A regular string value. String values must be enclosed in double quotation marks. | "surname" "C:\\windows" "C:\\windows\temp" |
surname C:\windows C:\windows empThe \t in the path is interpreted as a tab. To avoid this you must escape the backslash. For example: "C:\\windows\\temp" |
Boolean literal | A Boolean value. The only valid Boolean values are true and false .
|
true false |
true false |
Number literal | A number value or a numeric expression. | 2048 5-4 |
2048 1 |
Null literal | A null value is the intentional absence of any object value. You can use a null literal to set a field to null, which removes the field. | null |
|
Field | The name of a field in your data. Field names cannot contain square brackets [ ]. |
client_ip port '5minutes' 'status-code' avg(bytes/1024) |
When a field name is included in an expression, the field values are used when the expression is resolved.
|
Assignment | Uses the equal sign ( = ) to assign the results of an <expression> to a <field>. If the field exists in the incoming search results, the values in that field are replaced. Otherwise a field is created in the outgoing search results.
|
speed=distance/time 'low-category' = lower(categoryId) |
speed=65 'low-category' = arcade |
Function | A function call with one or more expressions.
|
avg(size) case(status = 200, "OK", status = 404, "Not found", status = 500, "Internal Server Error") |
When a function is included in an expression, the results of the function are used when the expression is resolved. |
Unary | An operation with only one argument. Primarily used with unary minus to change the sign of its argument. A positive number becomes a negative, and a negative number becomes a positive. Use a space between the sign and the argument.
|
- discount_amount - (.20) |
-discount_amount -.20 |
Binary | An operation with two arguments. A common binary expression is a + b , which is the addition operator ( + ) surrounded by two arguments, or operands.
|
5 + 12 bytes/1024 surname.", ".firstname |
When a binary operation is included in an expression, the results of the operation are used when the expression is resolved. |
See also
Use CASE() and TERM() to match phrases | Boolean expressions with logical operators |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408
Feedback submitted, thanks!