Splits a string using a regular expression into an array of values.
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
as | string | optional[a] | _splitstring | Emit selected attribute using this name. |
by | string | required | String or regular expression to split by. | |
field [b] | string | optional[a] | @rawstring | Field that needs splitting. |
index | number | optional[a] | Emit only this index after splitting. Can be negative; -1 designates the last element. | |
[a] Optional parameters use their default value unless explicitly set |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscalesplitString("field",by="value")
and:
logscalesplitString(field="field",by="value")
These examples show basic structure only.
splitString()
Examples
Assuming an event has the @rawstring="2007-01-01 test bar" you can split the string into fields part[0], part[1], and part[2]:
...
| part := splitString(field=@rawstring, by=" ")
Assuming an event has @rawstring:
2007-01-01 test bar
You can split pick out the date part using:
...
| date := splitString(field=@rawstring, by=" ", index=0)
Assuming an event has @rawstring:
<2007-01-01>test;bar
You can split the string into attributes part[0], part[1], and part[2]. In this case, the splitting string is a regex specifying any one of the characters <, >, or ;
...
| part := splitString(field=@rawstring, by="[<>;]")
Split an event into multiple events by newlines. The first function
splitString()
creates
@rawstring[0],
@rawstring[1],
... for each line, and the
following split()
creates the multiple events from
the array of rawstrings.
...
| splitString(by="\n", as=@rawstring)
| split(@rawstring)
Split the value of a string field into individual characters:
characters := splitstring(my_field, by="(?!\A)(?=.)")
Split the value of a string using case-insensitive regex:
characters := splitstring(my_field, by="(?i)(e
| encoded
| enc)")
Split the string using a multi-character separator. This can be used for
system logs that use the multi-character separator to allow a character
such as comma or colon that might otherwise be used as a separator.
Because the value to the
by
is a regular
expression, you should use a regular expression group as the value. For
example:
splitString(by="(\*\|\*)")
Splits incoming data by the string *|*
and would
correctly split the string
image.png*|*PNG*|*0755*|*john
into:
Field | Value |
---|---|
_splitstring[0] | image.png |
_splitstring[1] | PNG |
_splitstring[2] | 0755 |
_splitstring[3] | john |
Note
Special characters (including asterisk and pipe) also need to be escaped.