Versions Compared

Old Version 9

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
typeflat

...

How does it work in the search window?

Select Create field in the search window toolbar, then select the Split operation. You need to specify two arguments, plus a third optional argument:

Argument

Description

Data type

Split mandatory

The string you want to split or extract as an array.

string

by separator mandatory

The separator you want to identify in the string.

string

and return piece

The position of the piece you want to extract, counting from 0. A piece is defined by a closing separatorPieces are the distinct segments obtained from the division made by the separators.

integer

The data type of the values in the new field is array when used with 2 arguments and string when used with 3 arguments.

Example (with 2 arguments)

In the siem.logtrust.web.activity table, we  we want to create a new field to show only the hour value in each string of the userid column. We need to get the part of the string that comes between the first and second : occurence. Using the - value as separator, each value will be split into different pieces. To the userid field as an array. To do this, we will create a new field using the Split operation.

The arguments need to create the new field are:

  • Split - userid column

  • by separator - Click the pencil icon and enter -

Click Create column and you will see the following result:

...

Example (with 3 arguments)

In the siem.logtrust.web.activity table, we want to create a new field to show only the second segment of the userid field. To do this, we will create a new field using the Split operation.

The arguments needed need to create the new column field are:

  • Split - userid userid column

  • by separator - Click the pencil icon and enter -

  • and return piece - Click the pencil icon and enter(remember the count starts as 0, so you must enter 1 to get the second piece).

...

Click Create column and you will see the following result:

...

  • split(string, "separator_string")

  • split(string, "separator_string", piece_integer)

  • split(string, "separator_string") [piece_integer]

Example

You can copy the following LINQ scripts and try the above examples on the siem.logtrust.web.activity table. 

Code Block
from siem.logtrust.web.activity
  select split(userid, "-", 1) as array_userid
Code Block
from siem.logtrust.web.activity
  select split(userid, "-", 1) as piece2_userid