How-To: Split a Single Event into Multiple Events

Because data enters LogScale from a variety of other platforms and tools, it can sometimes require some rework in order for LogScale to provide usable insights.

Let's say you have the following event:

syslog

45.513466,-122.75999,2023-01-31 23:59:45.559,"Golden-Crowned Sparrow,Pine Siskin"

All the data is needed and necessary, but its format makes it difficult to parse. To maximize LogScale, you need to split this into two events, one for each bird. This can be done using a combination of parseCsv(), splitString(), and split().

logscale

// First create the event.
createEvents("45.513466,-122.75999,2023-01-31 23:59:45.559,\"Golden-Crowned Sparrow,Pine Siskin\"")

// Next parse it out as a CSV.
| parseCsv(columns=[lat, long, date, birdname])

// Then, using regex, return all the bird names in the birdname field as separate events.
| birdname=/(?<birdname>[^,]+)/g 

// Now drop the @rawstring- you no longer need it.
drop(@rawstring)

The result is now:

birdname
Golden-Crowned Sparrow
Pine Siskin

For more information, see our documentation on @rawstring.

Knowledge Base

How-To: Split a Single Event into Multiple Events

Enter search term