Table of Contents | ||||
---|---|---|---|---|
|
...
How does it work in the search window?
Select Create field in the search window toolbar, then select the Split operation. You need to specify two arguments, plus a third optional argument:
Argument | Description | Data type |
---|---|---|
Split mandatory | The string you want to split or extract as an array. | string |
by separator mandatory | The separator you want to identify in the string. | string |
and return piece | The position of the piece you want to extract, counting from 0. Pieces are the distinct segments obtained from the division made by the separators. | integer |
The data type of the values in the new field is array when used with 2 arguments and string when used with 3 arguments.
Example (with 2 arguments)
In the siem.logtrust.web.activity
table, we want to create a new field to show the userid field as an array. To do this, we will create a new field using the Split operation.
The arguments need to create the new field are:
Split - userid column
by separator - Click the pencil icon and enter
-
Click Create column and you will see the following result:
...
Example (with 3 arguments)
In the siem.logtrust.web.activity
table, we want to create a new field to show only the second segment of the userid column field. To do this, we will create a new field using the Split operation.
...
split(string, "separator_string")
split(string, "separator_string", piece_integer)
split(string, "separator_string") [piece_integer]
Example
You can copy the following LINQ scripts and try the above examples on the siem.logtrust.web.activity
table.
Code Block |
---|
from siem.logtrust.web.activity
select split(userid, "-", 1) as array_userid |
Code Block |
---|
from siem.logtrust.web.activity select split(userid, "-", 1) as piece2_userid |