Compatibility Quick Reference for SPL2 evaluation functions
An SPL2 profile maps to a set of SPL2 commands and functions that are used by a given product. See SPL2 compatibility profiles.
The following table shows which SPL2 evaluation functions are supported for the Edge Processor on Enterprise.
| Supported functions and syntax | Description |
|---|---|
| abs(num) | Returns the absolute value of a number. |
| acos(x) | Computes the arc cosine of x. |
| acosh(x) | Computes the arc hyperbolic cosine of x. |
| asin(x) | Computes the arc sine of x. |
| asinh(x) | Computes the arc hyperbolic sine of x. |
| atan(x) | Computes the arc tangent of x. |
| atan2(y,x) | Computes the arc tangent of y,x. |
| atanh(x) | Computes the arc hyperbolic tangent of x. |
| batch_id() | Returns the ID associated with the current batch of events that the pipeline is processing. |
| batch_time() | Returns the UNIX timestamp indicating the processing time of the current batch of events that the pipeline is processing. |
| case(condition,value, ...) | Accepts alternating conditions and values. Returns the first value for which the condition evaluates to TRUE. |
| cidrmatch(cidr,ip) | Returns TRUE or FALSE based on whether an IP address matches a CIDR notation. |
| coalesce(values) | Takes one or more values and returns the first value that is not NULL. |
| cos(x) | Computes the cosine of an angle of x radians. |
| cosh(x) | Computes the hyperbolic cosine of x radians. |
| exp(num) | Returns the exponential function eX of a number. |
| filter(values, predicate) | Iterates over the values in a JSON array and copies the values that match the specified predicate into a new array. |
| floor(num) | Rounds a number down to the nearest whole integer. |
| hypot(x,y) | Computes the hypotenuse of a triangle. |
| if(predicate,true_value,false_value) | If the predicate expression evaluates to TRUE, returns the true_value. Otherwise the function returns the false_value. |
| in(value,list) | Returns TRUE if one of the values in the list matches a value that you specify. |
| instance_id() | Returns the host name of the Edge Processor instance or the UUID of the Ingest Processor that processed the event. |
| ipmask(mask,IP) | Generates a new masked IP address by applying a mask to a IPv4 address. |
| isarray(value) | Returns TRUE if the value is an array. |
| isbool(value) | Returns TRUE if the value is Boolean. |
| isdouble(value) | Returns TRUE if the value is a double. |
| isint(value) | Returns TRUE if the value is an integer. |
| ismv(value) | Returns TRUE if the value is a multivalue. |
| isnotnull(value) | Returns TRUE if the value is not NULL. |
| isnull(value) | Returns TRUE if the value is NULL. |
| isnum(value) | Returns TRUE if the value is a number. |
| isobject(value) | Returns TRUE if the value is a valid JSON object. |
| isstr(value) | Returns TRUE if the value is a string. |
| json_append(json,path_value_pairs) | |
| json_array(values) | Creates a JSON array using a list of values. |
| json_array_to_mv(json_array, boolean) | Maps the elements of a JSON array to a multivalued field. |
| json_extend(json, path_value_pairs) | Extends the contents of a valid JSON object with the values of an array. |
| json_extract(field,paths) | Returns a value from a field and zero or more paths. The value is returned in either a JSON array, or a Splunk software native type value. |
| json_extract_exact(json, keys) | Returns Splunk software native type values from a piece of JSON by matching literal strings in the event and extracting the strings as keys. |
| json_keys(json) | Returns the keys from the key-value pairs in a JSON object. The keys are returned as a JSON array. |
| json_object(key,value,...) | Creates a new JSON object from members of key-value pairs. |
| json_set(field,path_value_pairs) | Inserts or overwrites values for a JSON node with the path and value pairs provided and returns an updated JSON object. |
| json_set_exact(json, key_value_pairs) | Generates or overwrites a JSON object using the key-value pairs specified. |
| json_valid(field) | Evaluates whether a JSON object uses valid JSON syntax and returns either TRUE or FALSE. |
| len(str) | Returns the character length of a string. |
| like(str,pattern) | Returns TRUE if the string value matches the pattern. |
| ln(num) | Returns the natural logarithm of a number. |
| log(num,base) | Returns the logarithm of a number using a base. The base is optional, and if omitted the log function uses base 10. |
| lower(str) | Converts a string to lowercase. |
| ltrim(str,trim_chars) | Removes the trim characters from the left side of the string. |
| map(values, mapper) | Iterates over the values in a JSON array and performs an operation on each value in the array. |
| match(str,regex) | Returns TRUE if the regular expression finds a match against any substring of the string value. Otherwise returns FALSE. |
| max(values) | Returns the maximum of the string or numeric values. |
| md5(str) | Computes and returns the MD5 hash of a string value. |
| min(values) | Returns the minimum of the string or numeric values. |
| mvappend(values) | Returns a single multivalue result from a list of values. |
| mvcount(mv) | Returns the count of the number of values in the specified multivalue field. |
| mvdedup(mv) | Removes all of the duplicate values from a multivalue field. |
| mvfind(mv,regex) | Returns the index for the first value in a multivalue field that matches a regular expression. |
| mvindex(mv,start,end) | Returns a subset of the multivalue field using the start and end index values. |
| mvjoin(mv,delim) | Concatenates the individual values within the multivalue field using the value of the delimiter as a separator. |
| mv_to_json_array(field,infer_types) | Maps the elements of a multivalue field to a JSON array. |
| pi() | Returns the constant pi to 11 digits of precision. |
| pow(num,exp) | Returns a number to the power of the exponent. |
| random() | Returns a pseudo-random integer ranging from 0 to 231-1. |
| reduce(values, initialValue, accumulator, finalizer) | Iterates over the values in a JSON array and performs an accumulation operation. |
| relative_time(time,specifier) | Takes a UNIX time and a relative time specifier and returns the UNIX time value of the specifier applied to the time. |
| replace(str,regex,replacement) | Substitutes the replacement string for every occurrence of the regular expression in the string. |
| round(num,precision) | Returns a number rounded to the decimal places specified by the precision. The default is to round to an integer. |
| rtrim(str,trim_chars) | Removes the trim characters from the right side of the string. |
| sha1(str) | Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-1 hash function. |
| sha256(str) | Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-256 hash function. |
| sha512(str) | Computes and returns the secure hash of a string value, based on the FIPS compliant SHA-512 hash function. |
| sin(x) | Computes the sine of x. |
| sinh(x) | Computes the hyperbolic sine of x. |
| spath(value,path) | Extracts information from the structured data formats XML and JSON. |
| split(str,delim) | Splits the string values on the delimiter and returns the string values as a multivalue field. |
| sqrt(num) | Returns the square root of a number. |
| strftime(time,format) | Takes a UNIX time value and renders the time as a string using the format specified. The UNIX time must be in seconds. |
| strptime(str,format) | Takes a human readable time, represented by a string, and parses the time into a UNIX timestamp using the format. |
| substr(str,start,length) | Returns a substring of a string, beginning at the start index. The length of the substring specifies the number of characters to return. |
| tan(x) | Computes the tangent of x. |
| tanh(x) | Computes the hyperbolic tangent of x. |
| time() | Returns the wall-clock time, in the UNIX time format, with microsecond resolution. |
| to_ocsf(value, source_type, boolean_options) | Converts the data from the specified event field to the Open Cybersecurity Schema Framework (OCSF) format. |
| toarray(value) | Converts a string or multivalue to an array. |
| tobool(value) | Converts a string or number to a Boolean value. |
| todouble(value, base) | Converts converts a string or number to a double. |
| toint(value, base) | Converts converts a string or number to an integer. |
| tojson(internal_fields) | Returns a JSON object representation of events or search results. |
| tomv(value) | Converts a JSON array to a multivalue. |
| tonumber(str,base) | Converts a string to a number. The base is optional. If not specified, base 10 is used. |
| toobject(value) | Converts a string to an object. |
| tostring(value,format) | Converts a value to a string using the specified format. |
| trim(str,trim_chars) | Removes the trim characters from both sides of the string. |
| upper(str) | Returns a string in uppercase. |