Document toolboxDocument toolbox

Peek (peek)

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: May 10, 2023 by Former user (Deleted)
2 min read
[ 1 Description ] [ 2 How does it work in the search window? ] [ 3 How does it work in LINQ? ]

Description

The new field returns the part of a string that matches a given regular expression. Optionally, you can add a capturing group to get a specific substring in case of several matches (being the capturing group 0 the first occurrence).

The syntax used by Devo for this operation is Java syntax. Check this article to know more about Java language and syntax to construct your own regular expressions. If you want a broader overview of the concept and uses of regular expressions, you can read this article.

How does it work in the search window?

Select Create field in the search window toolbar, then select the Peek operation. You need to specify at least two arguments:

Argument

Data type

Argument

Data type

String mandatory

string

Pattern mandatory

regexp

Capturing group

integer

The data type of the values in the new field is string.

Take care when using strings containing the \ escape character. For every \ in the string you must add \\\\ (4), resulting in a total of \\\\\ (5). This is because the Java compiler needs \\ and the regex engine also needs \\.

Given messages like these already ingested in Devo:

{\"request\":{\"Id\":23456,\"Email\":\marketing@devo.com"\",\"Company\":\"Devo\",\"Team\":\"Marketing\"}}

{\"request\":{\"Id\":34567,\"Email\":\sales@devo.com\",\"Company\":\Devo\",\"Team\":\"Sales\"}}

{\"request\":´\"Id\":12345,\"Email\":\"support@devo.com\",\"Company\":\"Devo\",\"Team\":\"Customer Support\"}}

To retrieve the email address value, you can use this code:

select peek(message, re("\\\\\"Email\\\\\":\\\\\"(.*?)\\\\\""),1) as email

Example

In the siem.logtrust.web.activity table, we want to extract only the days of our eventdate_string field. To do this, we will create a new field using the Peek operation.

The arguments needed to create the new field are:

  • String - eventdate_string field

  • Pattern - Click the pencil icon and enter .\d

  • Capturing group - Click the pencil icon and enter 0

Click Create column and you will see the following result:

How does it work in LINQ?

Use the operator select... as...  and add the operation syntax to create the new column. This is the syntax for the Peek operation:

  • peek(string, re(string))

  • peek(string, regexp)

  • peek(string, re(string), capturing_group_integer)

  • peek(string, regexp, capturing_group_integer)

When you use the Peek operation in a LINQ query, you must use the Regular expression, regexp operation to transform the string value entered to regexp format. To do it, add the re() syntax as in the above examples.

When you apply this operation in the search window interface, Devo automatically transforms your string value to regexp data type, so you don't need to do anything.

Example

You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity table. 

from siem.logtrust.web.activity select str(eventdate) as `eventdate string`, peek(`eventdate string`, re(".\\d"), 0) as peek_eventdate