| Table of Contents | ||||
|---|---|---|---|---|
|
...
How does it work in the search window?
Select Create field in the search window toolbar, then select the Split operation. You need to specify two arguments, plus a third optional argument:
Argument | Description | Data type |
|---|---|---|
Split mandatory | The string you want to split or extract as an array. | string |
by separator mandatory | The separator you want to identify in the string. | string |
and return piece | The position of the piece you want to extract, counting from 0. A piece is defined by a closing separatorPieces are the distinct segments obtained from the division made by the separators. | integer |
The data type of the values in the new field is array when used with 2 arguments and string when used with 3 arguments.
Example
In the siem.logtrust.web.activity table, we want to create a new field to show only the hour value in each string of the userid column. We need to get the part of the string that comes between the first and second : occurence. Using the - value as separator, each value will be split into different pieces. To do this, we will create a new field using the Split operation.
...
split(string, "separator_string")split(string, "separator_string", piece_integer)split(string, "separator_string") [piece_integer]
Example
You can copy the following LINQ scripts and try the above examples on the siem.logtrust.web.activity table.
| Code Block |
|---|
from siem.logtrust.web.activity select split(userid, "-", 1) as array_userid |
...