Substring (substring)
Description
Extracts a substring from a given string, indicating the position starting character. Optionally, you can indicate the length of the substrings. If the length is not specified, you will get all the characters from the starting point indicated.
How does it work in the search window?
Select Create field in the search window toolbar, then select the Substring operation. This operation needs at least two arguments:
Argument | Data type | More information |
---|---|---|
Original string mandatory | string | - |
Starting from character mandatory | integer | Position of the starting character of the substrings. |
Length of substring | integer | The number of characters you want your substrings to have. If not indicated, you will get all the characters from the starting point indicated. |
The data type of the values in the new field is string.
Example
In the siem.logtrust.web.activity
table, we want to get only the part indicating the month in our eventdate field. First, we must convert this field to string using the to string operation. We will create a new field using the Substring operation to do . Let's call the new field substrings
The arguments needed to create the new field are:
Original string - eventdate_string field
Starting from character - 3
Length of substring - 3
Click Create field and you will see the following result:
How does it work in LINQ?
Use the operator select
... as
... and add the operation syntax to create the new field. These are the valid formats of the Substring operation:
substring(string, starting_position_integer)
substring(string, starting_position_integer, length_integer)
Example
You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity
table.Â
from siem.logtrust.web.activity
select str(eventdate) as eventdate_string,
substring(eventdate_string, 3, 3) as substring