Lambda expressions

In functions, you can use lambda expressions where you would specify function parameters. A lambda expression is like a function. In essence, you are using a lambda expression to pass a function as an argument into another function.

Functions that expect lambda expressions

The following JSON functions expect lambda expressions:

  • any
  • all
  • filter
  • map
  • reduce

See JSON functions in the SPL2 Search Reference.

Lambda expression syntax

The required syntax is in bold.

( [ $<parameter-name> [: <parameter-type>] [=<default-value>] ], ...)

->

<expression> | { <function-statements> }

Note: You must specify either an expression or a function-statement.

Required arguments

parentheses

Syntax: ( )

Description: If only one parameter is specified, you can omit the parentheses. However, if no parameters or multiple parameters are specified the parentheses ( ) are required before the lambda symbol ( -> ).

lambda symbol

Syntax: ->

Description: The lambda symbol ( -> ) is used between the parameters and the expression.

expression

Syntax: <expression>

Description: An expression can be composed of literals, built-in functions, custom functions, fields, parameters, comparisons, and other expressions. Nested lambda expressions are not supported. For example, a lambda expression can't use a custom function that includes a lambda expression. See Types of expressions.

Example:$a + 2.

Default: None

function-statements

Syntax: { [ $<variable-name> = <expression>; ... ] return <expression> }

Description: You can specify one or more function statements. There are two types of function statements: assignment statements and return statements. Assignment statements are variable-expression pairs, such as $a = 1+2.

Return statements consist of the keyword return followed by an expression. Expressions can be composed of literals, functions, fields, parameters, comparisons, and other expressions. See Types of expressions.
  • You can specify zero or more assignment statements.
  • You must specify only one return statement.
  • The return statement must be the last function statement specified.

The entire function statement must be enclosed in curly brackets { }.

When specifying multiple function-statements, either place each statement on a separate line or use a semi-colon ( ; ) between each statement. See the section Syntax rules quick reference in this topic for additional examples.

Example: {$a = 1+2; $c = 3+4; return $a + $c}

Default: None

Optional arguments

default-value

Syntax: <default-value>

Description: A default value for the parameter. The value must be a constant, either a number or a string. The value can't be a field name. Users can override the default value by specifying the parameter with a value.

Example: $count: int=5

Default: None

parameter-name

Syntax: $<parameter-name>

Description: The name that you want to give to a parameter to use with the lambda expression. You can specify zero or more parameters. Separate multiple parameters with commas. Parameter names must start with a dollar sign ( $ ) followed by a letter or an underscore ( _ ) character and cannot contain spaces. When you specify a parameter name, you have the option to include a parameter type. The default parameter type is any.

Example: ($firstname, $surname, $age: int)

Default: None

parameter-type

Syntax: <parameter-type>

Description: The data type that the parameter accepts. This is the input data type. The default data type is any. See Built-in data types. If you specify a parameter type, you must separate the <parameter-name> and the <parameter-type> with a colon ( : ).

Example: ($ipaddress: string, $kbps: int)

Default: any

Syntax rules quick reference

The following table explains the syntax rules and includes examples:

Syntax rule Example Explanation
Parameters: If no parameter is specified, you must use parentheses ( ) where the parameter would be defined. () -> 1 + 2 Return the result of 1 + 2.
Parameters: When a single parameter is specified, you can omit or include the parentheses around the parameter. $a -> $a + 1

($a) -> $a + 1

Specify parameter $a and return the result of expression $a + 1.
Parameters: A comma-separated list of parameters is specified. You must use parentheses to enclose all of the parameters. ($a, $b) -> $a + $b Specify multiple parameters, $a and $b. Return the result of expression $a + $b.
Expressions: When a single expression is specified, you can omit or include the curly brackets { } around the expression.

If you use the curly brackets, you must use the return keyword, regardless of number of function statements specified.

($a) -> $a + 1

($a) -> { return $a + 1 }

Specify parameter $a and return the result of expression $a + 1.
Expressions: When a function statement in the form of <variable>=<expression> is specified, you must enclose the entire expression clause in curly brackets { }, regardless of number of function statements specified. ($a, $b) -> { $z = $a + $b; return $z } Specify multiple parameters, $a and $b. Calculate function statement $z = $a + $b. Return the result of $z.
Expressions: When you specify multiple function statements on the same line, you must separate the statements with a semi-colon ( ; ).

If the function statements are on separate lines, you can omit the semi-colons.

($a) -> { $c=$a*2; $d=$a*4; return $c+$d } 
($a) -> {

$c=$a*2

$d=$a*4

return $c+$d

}

Specify one parameter and multiple assignment statements. Return the result of $c + $d.

Lambda expression shortcuts

You can omit everything before the lambda symbol ( -> ) in your lambda expression by using the $it parameter. The $it parameter is an implicit parameter that refers to the argument passed into the lambda expression.

$it + 2 is a shortcut for the lambda expression $it -> $it + 2

Consider the function literal function($it) {return $it.a}. You can write this function literal in a concise form as $it.a or as a lambda expression $it -> $it.a, where the return statement and other tokens are omitted.

Examples

Multiply each value in an array by a specific number

Consider this set of data:

_time results
13 Apr 2024 13:02:45.000 PM [5,10,15]
13 Apr 2024 10:52:41.000 AM [10,20,30]
13 Apr 2024 06:23:48.000 AM [20,40,80]

The following search loops through the array values in the results field and multiplies each array value by 10. This example uses a lambda expression where $r represents the current element in the array. 

... | eval new_results = map(results, $r -> $r*10)

The results look like this:

_time new_results results
13 Apr 2024 13:02:45.000 PM [50,100,150] [5,10,15]
13 Apr 2024 10:52:41.000 AM [100,200,300] [10,20,30]
13 Apr 2024 06:23:48.000 AM [200,400,800] [20,40,80]

Using multiple function statements

To specify multiple function statements in your lambda expression, you must separate each statement with a semi-colon ( ; ).

Consider this set of data, where the cities field contains an array of city names:

_time cities
24 Mar 2025 13:02:45.000 PM ["london", "paris", "rome"]

The following search uses the map function to loop through the array values in the cities field and prepend a string to each value. The lambda expression has 2 function statements: 1 assignment statement and 1 return statement. The assignment statement prepends the string emea_ to each value in the array. The return statement returns the results of the assignment statement as a new field called regionCities. 

from worldDataset select map(cities, ($val) -> { $region = "emea_" + $val; return $region; }) as regionCities

The results look like this:

_time regionCities cities
24 Mar 2025 13:02:45.000 PM ["emea_london", "emea_paris", "emea_rome"] ["london", "paris", "rome"]

Normalize JSON

Sometimes you encounter JSON data that is formatted in such a way that Splunk platforms can't parse the JSON data. One example is data that consists of key-value pairs inside an array of objects where both the keys and values are stored as values. You can use lambda expressions to normalize JSON data.

The following search takes an array that consists of a set of objects. The search uses the eval command with the reduce function to pull the keys out of each object and place the results in a new field called "keyvals". The reduce function iterates over the values in a JSON array and performs an operation on each value in the array. 

$basic = from [{array:[{key:"one", n:1},{key:"two", n:2},
{key:"three", n:3}]}] 
| eval keyvals=reduce(array, {}, ($acc, $it) -> json_set_exact($acc, 
$it.key, $it.n))

Here is what occurs when the reduce function iterates over the values in the array:

Iteration Before the operation After the operation
1st iteration The $acc parameter is an empty object. The $it parameter is the first object {key:"one", n:1} The $acc parameter is now {"one",1}
2nd iteration The $acc parameter is {"one",1}. The $it parameter is the second object {key:"two", n:2}. The $acc parameter is now {"one",1}, {"two",2}.
3rd iteration The $acc parameter is {"one",1}, {"two",2}. The $it parameter is the third object {key:"three", n:3}. The $acc parameter is now {"one",1}, {"two",2}, {"three",3}.

The results look like this:

array keyvals
[{"key":"one","n":1},{"key":"two","n":2},{"key":"three","n":3}] {"one":1,"two":2,"three":3}

For more information about the reduce function, see JSON functions in the SPL2 Search Reference.

Apply a normalizer function to a URL

Consider the following function, which decodes and normalizes URLs: 

function normalizeDecodeURL($input: string, $beforeDecode: func, $afterDecode: func): string {
  $readyForDecode = $beforeDecode($input)
  $decoded = urldecode($readyForDecode)
  return $afterDecode($decoded)
}

This function defines three parameters:

  • $input accepts string values, which will be the URLs.
  • $beforeDecode must be a lambda expression.
  • $afterDecode must be a lambda expression.

Note: The advantage of specifying lambda expressions for the function parameters is that you can customize the behavior of functions when you call the statements instead of hardcoding the behavior inside the function body.

The following example shows how the normalizeDecodeURL function is used in a search: 

$search1 = from main 
| eval decodedURL = normalizeDecodeURL(url, $raw -> trim($raw, " "), $decoded -> substr($decoded, 0, 100))

This search:

  • Creates a field called decodedURL
  • Uses the custom function normalizeDecodeURL
  • For the first function parameter, specifies a field in the events called url
  • For the second function parameter, specifies a lambda expression that takes the original URL and trims any spaces before and after the URL
  • For the third function parameter, specifies a lambda expression that takes the decoded URL and returns the first 100 characters of the URL string