Parse a fixed width-encoded field into known columns. It can parse values of the form:
| value 1 value 2 value 3, widths [8,8,8] |
| value 1value 2value 3, widths [7,7,7] |
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
columns | array of strings | required | Names of columns to extract from field. | |
field[a] | string | optional[b] | @rawstring | Field that holds the input in fixed width form. |
trim | boolean | optional[b] | true | Remove leading and trailing white-space from fields after extracting. |
widths | array of numbers | required | Widths of columns. | |
[b] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscale SyntaxparseFixedWidth("value",columns=["value"],widths=[10])and:
logscale SyntaxparseFixedWidth(field="value",columns=["value"],widths=[10])These examples show basic structure only.
For a log line like this:
2017-02-22T13:14:01.917+0000 [main thread] INFO statsModule got result="117success 27% 3.14"
Using parseFixedWidth(result,
columns=[count, status, completion, precision, sourcetask],
widths=[3,9,4,10,10) will add these fields:
count: 117
status: success
completion: 27%
precision: 3.14Sourcetask will not get assigned a value, as there were too few columns in the input for that. Values are trimmed after they have been extracted, for example, success will become success from the above example.
Use the (unnamed) field parameter to specify which field should be parsed. Specify @rawstring to parse the raw string
parseFixedWidth() Syntax Examples
Fixed width parse the result field from a log line:
statsModule got result="117success 27% 3.14The query:
parseFixedWidth(result, columns=[count, status,completion, precision, sourcetask], widths=[3,9,4,10,10])will add the following fields to the event:
count=117
status=success
completion=27%
precision=3.14
sourcetask will not get set as the input is too short.
parseFixedWidth() Examples
Click next to an example below to get the full details.
Parse Fixed Width-encoded Log Lines Fields
Parse fixed width-encoded field from log lines into columns using
the parseFixedWidth() function
Query
parseFixedWidth(result, columns=[count, status, completion, precision, sourcetask], widths=[3,9,4,10,10])Introduction
A fixed width file can be a very compact representation of numeric data. The file type is fast to parse, because every field is in the same place in every line. A disadvantages of fixed width file is, that it is necessary to describe the length of every field being parsed.
In this example, the parseFixedWidth() function is
used to parse an accesslog.
Step-by-Step
Starting with the source repository events.
- logscale
parseFixedWidth(result, columns=[count, status, completion, precision, sourcetask], widths=[3,9,4,10,10])Parses the fixed width-encoded field in the accesslog and adds the returned values as known columns in the result field.
Event Result set.
Summary and Results
The query is used to parse compact numeric data consisting of fixed width-encoded fields into columns.
In case a field value is longer than, for example, 10
characters, the parser handles overflow by truncating data that exceeds
the specified field width while maintaining the structure of the parsed
output.
As an example, if the original sourcetask value was:
SCAN_FILES_WITH_VERY_LONG_NAME (29 characters), then
the extra characters _WITH_VERY_LONG_NAME would be
truncated.
This parsing method is particularly valuable when dealing with structured data that must maintain strict positional formatting and character length requirements.