Splits a string using a regular expression into an array of values.
Function Traits: Transformation
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
as | string | optional | _splitstring | Emit selected attribute using this name. |
by | string | required | String or regular expression to split by. | |
field[a] | string | optional | Field that needs splitting. | |
index | number | optional | Emit only this index after splitting. Can be negative; -1 designates the last element. | |
The parameter name for field can be omitted; the following forms are equivalent:
splitString("value")and:
splitString(field="value")splitString() Examples
Assuming an event has the @rawstring="2007-01-01 test bar" you can split the string into fields part[0], part[1], and part[2]:
...
| part := splitString(field=@rawstring, by=" ")Assuming an event has the @rawstring:
2007-01-01 test barYou can split pick out the date part using:
...
| date := splitString(field=@rawstring, by=" ", index=0)Assuming an event has the @rawstring
<2007-01-01>test;barYou can split the string into attributes part[0], part[1], and part[2]. In this case, the splitting string is a regex specifying any one of the characters <, >, or ;
...
| part := splitString(field=@rawstring, by="[<>;]")
Split an event into multiple events by newlines. The first function
splitString() creates
@rawstring[0],
@rawstring[1],
... for each line, and the
following split() creates the multiple events from
the array of rawstrings.
...
| splitString(by="\n", as=@rawstring)
| split(@rawstring)Split the value of a string field into individual characters:
characters := splitstring(my_field, by="(?!\A)(?=.)")Split the value of a string using case-insensitive regex:
characters := splitstring(my_field, by="(?i)(e
| encoded
| enc)")