Document toolboxDocument toolbox

Split (split)

Description

Transforms a string with a given separator into an array (recommended use). It also splits a string with a given separator and returns only the selected piece (counting from 0).

How does it work in the search window?

Select Create field in the search window toolbar, then select the Split operation. You need to specify two arguments, plus a third optional argument:

Argument

Description

Data type

Argument

Description

Data type

Split mandatory

The string you want to split or extract as an array.

string

by separator mandatory

The separator you want to identify in the string.

string

and return piece

The position of the piece you want to extract, counting from 0. Pieces are the distinct segments obtained from the division made by the separators.

integer

The data type of the values in the new field is array when used with 2 arguments and string when used with 3 arguments.

Example (with 2 arguments)

In the siem.logtrust.web.activity table, we want to create a new field to show the userid field as an array. To do this, we will create a new field using the Split operation.

The arguments need to create the new field are:

  • Split - userid column

  • by separator - Click the pencil icon and enter -

Click Create column and you will see the following result:

5_split.png

Example (with 3 arguments)

In the siem.logtrust.web.activity table, we want to create a new field to show only the second segment of the userid field. To do this, we will create a new field using the Split operation.

The arguments need to create the new field are:

  • Split - userid column

  • by separator - Click the pencil icon and enter -

  • and return piece - Click the pencil icon and enter 1 (remember the count starts as 0, so you must enter 1 to get the second piece).

Click Create column and you will see the following result:

10_split.png

How does it work in LINQ?

Use the operator select... as...  and add the operation syntax to create the new column. This is the syntax for the Split operation:

  • split(string, "separator_string")

  • split(string, "separator_string", piece_integer)

  • split(string, "separator_string") [piece_integer]

Example

You can copy the following LINQ scripts and try the above examples on the siem.logtrust.web.activity table. 

from siem.logtrust.web.activity select split(userid, "-") as array_userid
from siem.logtrust.web.activity select split(userid, "-", 1) as piece2_userid