Table of Contents | ||||
---|---|---|---|---|
|
...
How does it work in the search window?
Select Create field in the search window toolbar, then select the Peek operation. You need to specify at least two arguments:
Argument | Data type |
---|---|
String mandatory | string |
Pattern mandatory | regexp |
Capturing group | integer |
The data type of the values in the new field is string.
Info |
---|
Take care when using strings containing the Given messages like these already ingested in Devo:
To retrieve the email address value, you can use this code:
|
Example
In the siem.logtrust.web.activity table, we want to extract only the days of our eventdate_string field. To do this, we will create a new field using the Peek operation.
...
Note |
---|
When you use the Peek operation in a LINQ query, you must use the Regular expression, regexp operation to transform the string value entered to regexp format. To do it, add the When you apply this operation in the search window interface, Devo automatically transforms your string value to regexp data type, so you don't need to do anything. |
Example
You can copy the following LINQ script and try the above example on the demosiem.logtrust.ecommerceweb.dataactivity
table.
Code Block |
---|
from demosiem.logtrust.ecommerceweb.dataactivity select str(eventdate) as `eventdate string`, peek(timestamp`eventdate string`, re(".\\d"), 0) as timestamppeek_dayseventdate |