Types of expressions

Expressions are widely used in SPL2. Expressions produce a value and can be composed of literals, functions, fields, parameters, comparisons and other expressions. You can use expressions with the following commands and clauses:

  • With the eval command to calculate or construct new values. For example:
    CODE 
    ...| eval diameter=circumference/3.14
  • In a group by clause to specify a time span that is used for aggregation groups. For example:
    CODE 
    ... GROUP BY span (_time, 3h)
  • With a predicate in the from and where commands to create a filter. For example:
    CODE 
    | FROM orders WHERE availability="in stock" ...

You can combine literals or constants, variables such as fields, navigations or parameters, operators, and functions to create expressions that can be used to fabricate new values or predicate expressions.

Note: These expressions are valid in commands that support expressions, with the exception of the search command. The search command has a different set of syntax rules.

Predicate expressions are a unique type of expression. See Predicate expressions.

Expressions quick reference

The following table describes the type of expressions that you can use with SPL2:

Expression type Description Examples Output
String literal

A regular string value. String values must be enclosed in double quotation marks.

You can use string templates in string literal expressions. See String templates in expressions.
CODE 
"surname"
CODE 
"C:\\windows"
CODE 
"C:\\windows\temp"
CODE 
surname
CODE 
C:\windows
CODE 
C:\windows   emp
The \t in the path is interpreted as a tab.
Raw string literal

A string value in which the backslash character ( \ ) is not processed.

Raw string literals must be preceded by the at symbol ( @ ) and enclosed in double quotation marks ( " ). Double quotations inside the string must be escaped using double quotations.
CODE 
@"C:\windows"
CODE 
@"C:\windows\temp"
CODE 
@"C:\\test"
CODE 
@"Leroy ""Satchel"" Paige"
CODE 
@"\d.t"
CODE 
C:\windows
CODE 
C:\windows\temp
CODE 
C:\\test
CODE 
Leroy "Satchel" Paige
CODE 
\d.t
Boolean literal A Boolean value. The only valid Boolean values are true and false.
CODE 
true
CODE 
false
CODE 
true
CODE 
false
Search literal

One or more predicate values that you can specify wherever an expression is valid. The AND operator is implicit between the values. Search literals must be enclosed in backtick characters ( ` ).

See Search literals in expressions.
CODE 
|FROM main 
WHERE `500 ERROR`
CODE 
... | stats count(`500`) by host
 The output is the same as
CODE 
|FROM main 
WHERE `500` AND `ERROR`
CODE 
... search 500 | stats count() by host
Number literal A number value or a numeric expression.
CODE 
2048
CODE 
5-4
CODE 
2048
CODE 
1
Null literal A null value is the intentional absence of any object value. You can use a null literal to set a field to null, which removes the field.
CODE 
null
CODE
Array literal

An array of values or a multivalue field. Arrays are enclosed in square brackets. You can specify constant values and expressions in array literal expressions.

See Array and object literals in expressions.

See Access expressions for arrays and objects.
CODE 
[2,4,6,8]
CODE 
... | eval a=10, value = [[1,2,3], a+2]
CODE 
[2,4,6,8]
CODE 
a=10 value=[[1,2,3],12]
Object literal

A list of comma-separated values enclosed in curly brackets. A SPL object literal is a convenient way to create JSON objects. To be JSON compatible, internally field names are stored with double quotation marks.

See Array and object literals in expressions.

See Access expressions for arrays and objects.
JSON 
{day: "mon", temp: 42}
JSON 
[{type: "cooperative", 'game-name': "Forbidden Island"}, {type: "competitive", 'game-name': "Ticket to Ride"}]
JSON 
{"day": "mon", "temp": 42}
JSON 
[{"type": "cooperative", "game-name": "Forbidden Island"}, {"type": "competitive", "game-name": "Ticket to Ride"}]
Field

The name of a field in your data.

If a field name begins with anything other than a-z, A-Z, or the underscore ( _ ) character, you must enclose the field name in single quotation marks.

Field names that contain anything other than a-z, A-Z, 0-9, or the underscore ( _ ) character must be enclosed in single quotation marks.

Field names cannot contain square brackets ( [ ] ).

You can use field templates in field expressions. See Field templates in expressions.
CODE 
client_ip
CODE 
port
CODE 
'5minutes'
CODE 
'status-code'
CODE 
avg(bytes/1024)
CODE 
...| eval '${city}' = 456
 When a field name is included in an expression, the field values are used when the expression is resolved.

The field name bytes is part of this binary expression.
The field template '${city}' is resolved when the eval command is processed.

Assignment

Uses the equal sign ( =   to assign the results of an expression to a field. If the field exists in the incoming search results, the values in that field are replaced. Otherwise a field is created in the outgoing search results.

The syntax is:

field=expression
CODE 
speed=distance/time
CODE 
'low-category' = lower(categoryId)
CODE 
speed=65
CODE 
'low-category' = arcade
Parameter reference A placeholder in a search string. A parameter reference always begins with a dollar sign ( $ ). A value for that placeholder must be provided when you run the search.
CODE 
FROM weblogs WHERE status=$status
Function

A function call with one or more expressions.

The syntax is:

function_name ( expression [, expression ]... )

CODE 
avg(size)
CODE 
case(status = 200, "OK", status = 404, "Not found", status = 500, "Internal Server Error")
 When a function is included in an expression, the results of the function are used when the expression is resolved.
Predicate An expression that returns either TRUE or FALSE. See Predicate expressions for descriptions and examples of valid predicates that you can use.
CODE 
true
CODE 
false
Unary

An operation with only one argument. Primarily used with unary minus to change the sign of its argument. A positive number becomes a negative, and a negative number becomes a positive. Use a space between the sign and the argument.

The syntax is:

[ + | - ] expression
CODE 
- discount_amount
CODE 
- (.20)
CODE 
-discount_amount
CODE 
-.20
Binary An operation with two arguments. A common binary expression is a + b, which is the addition operator ( + ) surrounded by two arguments, or operands.

The syntax is:

expression binary-operator expression

Valid binary operators are:

addition ( + )

subtraction ( - )

division ( / )

multiplication ( * )

percent ( % )

concatenation ( + )
CODE 
5 + 12
CODE 
bytes/1024
CODE 
surname+", "+firstname
 When a binary operation is included in an expression, the results of the operation are used when the expression is resolved.
Lambda

A function literal written in a concise form. A function literal is a function that is not declared but passed directly as an expression. Lambda expressions use the lambda symbol ( -> ).

Use a lambda expression as a parameter for a function. See Lambda expressions.
CODE 
( ) -> 1 + 2
CODE 
$a -> $a + 10
CODE 
$a -> { $z = 1; return $a + $z }
CODE 
($a, $b) -> $a + $b
CODE 
($a, $b) -> { $z = $a + $b; return $z }
CODE 
($a) -> { $c=$a*2; $d=$a*4; return $c+$d }