Splits a string using a regular expression into an array of values.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
as | string | optional[a] | _splitstring | Emit selected attribute using this name. |
by | string | required | String or regular expression to split by. | |
field[b] | string | optional[a] | @rawstring | Field that needs splitting. |
index | number | optional[a] | Emit only this index after splitting. Can be negative; -1 designates the last element. | |
[a] Optional parameters use their default value unless explicitly set | ||||
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscalesplitString("@rawstring")and:
logscalesplitString(field="@rawstring")
splitString() Examples
Assuming an event has the @rawstring="2007-01-01 test bar" you can split the string into fields part[0], part[1], and part[2]:
...
| part := splitString(field=@rawstring, by=" ")Assuming an event has the @rawstring:
2007-01-01 test barYou can split pick out the date part using:
...
| date := splitString(field=@rawstring, by=" ", index=0)Assuming an event has the @rawstring
<2007-01-01>test;barYou can split the string into attributes part[0], part[1], and part[2]. In this case, the splitting string is a regex specifying any one of the characters <, >, or ;
...
| part := splitString(field=@rawstring, by="[<>;]")
Split an event into multiple events by newlines. The first function
splitString() creates
@rawstring[0],
@rawstring[1],
... for each line, and the
following split() creates the multiple events from
the array of rawstrings.
...
| splitString(by="\n", as=@rawstring)
| split(@rawstring)Split the value of a string field into individual characters:
characters := splitstring(my_field, by="(?!\A)(?=.)")Split the value of a string using case-insensitive regex:
characters := splitstring(my_field, by="(?i)(e
| encoded
| enc)")
Split the string using a multi-character separator. This can be used for
system logs that use the multi-character separator to allow a character
such as comma or colon that might otherwise be used as a separator.
Because the value to the
by is a regular
expression, you should use a regular expression group as the value. For
example:
splitString(by="(\*\|\*)")
Splits incoming data by the string *|* and would
correctly split the string
image.png*|*PNG*|*0755*|*john into:
| Field | Value |
|---|---|
| _splitstring[0] | image.png |
| _splitstring[1] | PNG |
| _splitstring[2] | 0755 |
| _splitstring[3] | john |
Note
Special characters (including asterisk and pipe) also need to be escaped.