Splits a string by specifying a regular expression by which to split.
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| field | string | No | @rawstring | Field that needs splitting |
| by | string | Yes | String/regex to split by | |
| index | number | No | Emit only this index after splitting. Can be negative; -1 designates the last element. | |
| as | string | No | _splitstring | Emit selected attribute using this name |
field is the unnamed parameter.
Assuming an event has the @rawstring “2007-01-01 test bar” you can split the string into attributes part[0], part[1], and part[2]
... | part := splitString(field=@rawstring, by=" ")
Assuming an event has the @rawstring “2007-01-01 test bar” you can split pick out the date part using
... | date := splitString(field=@rawstring, by=" ", index=0)
Assuming an event has the @rawstring “<2007-01-01>test;bar” you can split the string into attributes part[0], part[1], and part[2]. In this case, the splitting string is a regex specifying any one of the characters <, >, or ;
... | part := splitString(field=@rawstring, by="[<>;]")
Split an event into multiple events by newlines. The first function splitString() creates @rawstring[0], @rawstring[1], … for each line, and the following split() creates the multiple events from the ‘array’ of rawstrings.
... | splitString(by="\n", as=@rawstring) | split(@rawstring)