repeat dataset function
Use the repeat() function to create events in a temporary dataset. The repeat() function is often used to create events for testing. You can use the repeat function anywhere you can specify a dataset name, for example with the FROM, union, and join commands.
The SPL2 repeat() dataset function is similar to the makeresults command in SPL.
Syntax
The required syntax is in bold.
repeat (<template>, <count>)
The arguments must be enclosed in parentheses ( ).
Required arguments
template
Syntax: <template>
Description: Either an empty object { } or a single JSON object, in the format {field: value}. Field names that contain characters other than a-z, A-Z, 0-9, or the underscore ( _ ) character must be enclosed in single quotation marks. This includes field names with spaces. String values must be enclosed in double quotation marks.
Example:
{name: "Alex Martin", age: 25, 'city-name': "San Francisco"}
count
Syntax: <integer>
Description: The number of events to create.
Optional arguments
None
Usage
The repeat() function is a generating function. Generating functions are functions that create events to form a dataset.
There are some limitations using the repeat function:
- You can't specify nested JSON objects with the
repeatdataset function. - You can't specify an array of JSON objects. You can only specify a single JSON object with multiple field-value pairs.
Should I use the repeat function or a dataset literal?
The repeat function is a very useful method to create a temporary dataset in certain circumstances.
An alternative to the repeat function is to use a dataset literal. See Dataset literals in the SPL2 Search Manual.
The following table describes the usage differences and limitations between the repeat function and a dataset literal:
| Method | Usage | Limitations |
|---|---|---|
| repeat function | Use the repeat function when you want to create multiple identical, or nearly identical events, where only a few values are different. You can use the repeat function to create a lot of events quickly.
|
You can't use nested objects or an array of objects with the repeat function.
|
| dataset literal | Use a dataset literal when you want to create events with many different values. You can type arrays and nested objects in the from command to specify a dataset literal.
|
Manually typing in each of the objects is time-consuming. See Sample dataset literals in the SPL2 Search Manual. |
Examples
These examples show different ways to use the repeat function to create events.
1. Create a dataset with empty events
You can create a dataset of empty events. For example, to create a dataset with 5 events use this search:
FROM repeat({}, 5)To add a timestamp to the events, use the eval command:
from repeat({},5)
| eval _time = now()The results look something like this:
| _time |
|---|
| 25 Feb 2022 15:35:14 |
| 25 Feb 2022 15:35:14 |
| 25 Feb 2022 15:35:14 |
| 25 Feb 2022 15:35:14 |
| 25 Feb 2022 15:35:14 |
Each event has the exact same timestamp.
2. Create events with hourly or daily timestamps
There are many things you can do to extend the events you create.
For example, you can create a set of hourly timestamps instead of events with the exact same timestamp. Add the streamstats command to create a count of the events. Use the eval command to create incremental timestamps by multiplying the count by 3600, the number of seconds in an hour.
| FROM repeat({}, 5)
| eval _time = now()
| streamstats count()
| eval _time=_time-(count*3600)The results look something like this:
| _time | count |
|---|---|
| 25 Feb 2022 15:35:14 | 1 |
| 25 Feb 2022 14:35:14 | 2 |
| 25 Feb 2022 13:35:14 | 3 |
| 25 Feb 2022 12:35:14 | 4 |
| 25 Feb 2022 11:35:14 | 5 |
The hours in the timestamp are 1 hour apart, starting with the latest timestamp and ending with the earliest timestamp.
To create daily timestamps, use 86400, the number of seconds in a day, in the eval command.
3. Create events using a JSON object
You can specify a JSON object to create multiple fields in one or more events.
| from repeat({name: "Alex Martin", age: 25, 'city-name': "San Francisco"},2)Because the field city-name contains a dash ( - ), the name must be enclosed in single quotation marks.
The value San Francisco is a string, which must be enclosed in double quotation marks.
The results look something like this:
| name | age | city-name |
|---|---|---|
| Alex Martin | 25 | San Francisco |
| Alex Martin | 25 | San Francisco |
4. Create events with multiple fields
This example shows how to specify multiple key-value pairs in a JSON object, which results in multiple, duplicate fields in each event in the dataset.
| from repeat({host: "www1", sourcetype: "access_combined"},3)
| eval _time = now()The results look something like this:
| _time | host | sourcetype |
|---|---|---|
| 25 Feb 2022 14:35:58.000 PM | www1 | access_combined |
| 25 Feb 2022 14:35:58.000 PM | www1 | access_combined |
| 25 Feb 2022 14:35:58.000 PM | www1 | access_combined |
You can alter the duplicate events by adding the streamstats command to create a count of the events. Use the eval command to alter an event by the count number.
For example, this search alters the value of the host field for the second event:
| from repeat({host: "www1", sourcetype: "access_combined_wcookie"},3)
| eval _time = now()
| streamstats count()
| eval host = if(count=2, "www2", host)The results look something like this:
| _time | host | sourcetype | count |
|---|---|---|---|
| 25 Feb 2022 14:35:58.000 PM | www1 | access_combined | 1 |
| 25 Feb 2022 14:35:58.000 PM | www2 | access_combined | 2 |
| 25 Feb 2022 14:35:58.000 PM | www1 | access_combined | 3 |
See also
Function information
Overview of SPL2 dataset_functions
Naming function arguments in the SPL2 Search Manual