Document toolboxDocument toolbox

Substitute (subs)

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: May 10, 2023 by Sarah Bigault (Deactivated)
4 min read
[ 1 Description ] [ 2 How does it work in the search window? ] [ 3 How does it work in LINQ? ]

Description

In a given string, the first set of characters that matches an established regular expression will be replaced by an indicated template. If no occurrence is found, it returns the original expression or an optional specified fail value. Use the Substitute all (subsall) operation to replace all the occurrences in the given string. 

You can use the Template (template) and Regular expression, regexp (re) operations to transform the values in a string field into the required template and regexp data types.

How does it work in the search window?

Select Create field in the search window toolbar, then select the Substitute operation. You need to specify at least three arguments:

Argument

Data type

More information

Argument

Data type

More information

String to scan mandatory

string

You can select a field in the table or enter a value manually.

Regular expression mandatory

regexp

You can select a field in the table or enter a value manually. If you introduce it yourself, you can use the regexp syntax to establish grouping patterns.

Template mandatory

template

You can select a field in the table or enter a value manually. If you introduce it yourself, you can use the capturing group syntax to make reference to specific groups established by the regular expression.

Fail value optional

string

You can select a field in the table or enter a value manually.

The data type of the values in the new field is string.

Note that Devo automatically changes the strings manually entered in the Regular expression and Template arguments to the required regexp and template data types. If you want to use a field on these arguments, it must be a regexp/template type field. You can use the Regular expression, regexp (re) and Template (template) operations to transform a string field to the required data type.

Example

In the siem.logtrust.web.activity table, with the eventdate converted to string table, we want to replace the first colon value (:) in every string of our eventdate field by a hyphen (-). We will create a new field using the Substitute operation to do it.

  • String to scan- eventdate field

  • Regular expression - Click the pencil icon and enter → :

  • Template - Click the pencil icon and enter → -

Click Create field and you will see the following result:

We can also create a field in the siem.logtrust.web.activity table that substitutes the first dot in srcHost ip addresses by a space. To do it, we will create a new field using the Substitute operation and we will call it Substitute. The arguments needed to create the new Substitute field are:

  • String to scan- srcHost field

  • Regular expression - Click the pencil icon and enter the following syntax to group up to the first dot→ ([0-9]+)\.*

  • Template - Click the pencil icon and make reference to the capturing group specified by the regular expression syntax, followed by a space → \1space

If you are going to use the same regular expression and template several times, it is advisable to create field using the Regular expression, regexp (re) and Template (template) operations and use them as arguments in the substitute operations.

Click Create field and you will see the following result:

  • The first dot of the IP addresses has been substituted by a space.

If you want to substitute all the dots in the IP addresses, you can use either the Substitute all (subsall) operation with the same arguments or keep using this operation with some adjustments:

  • String to scan- srcHost field

  • Regular expression - Repeat the regular expression syntax used before as many times as groups needed → ([0-9]+)\.*([0-9]+)\.*([0-9]+)\.*

  • Template - Make reference to as many capturing groups as groups defined by the regular expression syntax, followed by each of them by a space → \1space\2space\3space

Click Create field and you will see the following result:

  • The dots of the IP addresses has been substituted by a spaces.

How does it work in LINQ?

Use the operator select... as...  and add the operation syntax to create the new field. These are the valid formats for the Substitute operation:

  • subs(string, re(string), template(string))

  • subs(string, re(string), template(string), fail_value_string)

  • subs(string, regexp, template)

  • subs(string, regexp, template, fail_value_string)

Note that when you enter a string value as a regular expression and template using LINQ, you have to transform them to regexp and template format using the Regular expression, regexp (re) and Template (template) operations, as you can see in the examples. This is not needed if you perform this operation directly from the search window interface, as said above.

Example

You can copy the following LINQ script and try the previous examples on the siem.logtrust.web.activity table.

from siem.logtrust.web.activity select str(eventdate) as eventdate_string, subs(eventdate_string, re(":"), template("-")) as eventdate_subs
from siem.logtrust.web.activity select subs(srcHost, re("([0-9]+)\\."), template("\\1 ")) as srcHost_Substituted, subsall(srcHost, re("([0-9]+)\\.([0-9]+)\\.([0-9]+)\\."), template("\\1 \\2 \\3 ")) as substitute all_srcHost