| Table of Contents | ||||
|---|---|---|---|---|
|
...
You can use the Template (template) and Regular expression, regexp (re) operations to transform the values in a string column field into the required template and regexp data types.
How does it work in the search window?
Select Create column field in the search window toolbar, then select the Substitute all operation. You need to specify three arguments:
Argument | Data type | More information |
|---|---|---|
String to scan | string | You can select a column field in the table or enter a value manually. |
Regular expression | regexp | You can select a column field in the table or enter a value manually. If you introduce it yourself, you can use the regexp syntax to establish grouping patterns. |
Template | template | You can select a column field in the table or enter a value manually. If you introduce it yourself, you can use the capturing group syntax to make reference to specific groups established by the regular expression. |
The data type of the values in the new column field is string.
| Note |
|---|
Note that Devo automatically changes the strings manually entered in the Regular expression and Template arguments to the required regexp and template data types. If you want to use a column field on these arguments, it must be a regexp/template type columnfield. You can use the Regular expression, regexp (re) and Template (template) operations to transform a string column field to the required data type. |
Example
In the demosiem.logrust.ecommerceweb.dataactivity table, we want to replace all the (:-) occurrences in every string of our timestamp column headers field by a (-:). To do it, we will create a new column field using the Substitute all operation.
String to scan- timestamp column headers field
Regular expression - Click the pencil icon and enter → :-
Template - Click the pencil icon and enter → -:
...
Click Create columnfield and you will see the following result:
...
We can also create a column field in the demosiem.logtrust.ecommerceweb.dataactivity table that substitutes the dots in IP addresses Source Hosts by spaces. To do itthis, we will create a new column field using the Substitute all operation and we will call it Substituteall. Before that, we need to transform the clientIpAddress column into string type using the to string (str) operation and we will call it IPstring.Once we have the IPstring column, the The arguments needed to create the new Substitute column Substitute field are:
String to scan- IPstring column srcHost field
Regular expression - Click the pencil icon and enter the following syntax to group up to the first dot→ ([0-9]+)\.*
Template - Click the pencil icon and make reference to the capturing group specified by the regular expression syntax, followed by a space → \1
Status subtle true title space
| Info |
|---|
If you are going to use the same regular expression and template several times, it is advisable to create column using field using the Regular expression, regexp (re) and Template (template) operations and use them as arguments in the substitute operations. |
Click Create columnfield and you will see the following result:
...
Use the operator select... as... and add the operation syntax to create the new columnfield. These are the valid formats for the Substitute all operation:
...
| Note |
|---|
Note that when you enter a string value as a regular expression and template using LINQ, you have to transform them to regexp and template format using the Regular expression, regexp (re) and Template (template) operations, as you can see in the examples. This is not needed if you perform this operation directly from the search window interface, as said above. |
Example
You can copy the following LINQ script and try the previous examples on the demo.ecommerce.datathe siem.logtrust.web.activitytable.
| Code Block |
|---|
from demosiem.logtrust.ecommerceweb.dataactivity select subsall(timestampsrcHost, re(":([0-9]+)\\.*"), template("-\\1 ")) as substitutesubstituteall_timestamp_allsrcHost |
| Code Block |
|---|
from demosiem.logtrust.ecommerceweb.dataactivity select str(clientIpAddress) as IPstring, subsall(IPstringheaders, re("([0-9]+)\\.*"), template("\\1 :")) as Substitutesubstitute_all_headers |