Splunk® Cloud Services

SPL2 Search Manual

Built-in and custom functions

Functions are used with commands to perform a specific task, such as a calculation, comparison, evaluation, or transformation. Functions accept inputs in the form of parameters and return a value.

SPL2 includes a large set of built-in functions. You can also create custom functions if the built-in functions don't meet your specific needs.

Functions that accept strings can accept either a literal string or a field name where the field values are strings. Functions that accept numbers can accept either a literal number or a field name where the field values are numbers.

Evaluation functions

Use evaluation functions to evaluate an expression, based on your events, and return a result.

You can use evaluation functions:

  • In the WHERE and SELECT clauses of the from command
  • With the eval and where commands
  • With other commands that accept expressions

See Types of expressions for information about the expressions that you can use in evaluation functions.

See Overview of SPL2 eval functions in the SPL2 Search Reference.

Statistical and charting functions

Use statistical and charting functions to generate a calculation, such as an average or percentage, based on the field values in your events.

You can use the statistical and charting functions with the stats, eventstats, streamstats, and timechart commands.

See Overview of SPL2 stats and chart functions in the SPL2 Search Reference.

Dataset functions

Dataset functions are functions that create events to form a dataset.

You can use dataset functions with any generating command, such as the from, join, and union commands.

See Overview of SPL2 dataset functions in the SPL2 Search Reference.

Custom eval functions

You can create your own custom eval functions to extend SPL2. Custom functions provide a structured way to share and reuse blocks of SPL2. Custom functions are similar to macros.

You can use custom eval functions:

  • In the WHERE and SELECT clauses of the from command
  • With the eval and where commands
  • As part of evaluation expressions with other commands

See Custom eval functions in the SPL2 Search Reference to learn how to create a custom function.

Custom command functions

Use custom command functions to create a custom SPL2 command, A custom command function is a function that performs like a command. There are two types of custom command functions:

  • A generating command function creates a set of events and is used as the first command in a search. Examples of built-in generating commands are from, union, and search.
  • A non-generating command function processes data that is piped in from generating commands or other non-generating commands. Examples of built-in non-generating commands are stats, eval, and sort.

See Custom command functions in the SPL2 Search Reference to learn how to create a custom command function.

See also

Related information
Naming function arguments
Last modified on 04 August, 2022
SPL2 and regular expressions   Naming function arguments

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters