Document toolboxDocument toolbox

regex

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
2 min read
[ 1 Operator Usage in Easy Mode ] [ 2 Usage Details ] [ 3 Example ]

Parses the content from table rows according to the regular expression defined in the operator. For each row, the operator outputs the parsed value.

The output is null for any rows with patterns that can't be parsed.

Operator Usage in Easy Mode

  1. Click + on the parent node.

  2. Enter the Regex operator in the search field and select the operator from the Results to open the operator form.

  3. In the Table drop-down, enter or select the name of the table to apply an operator.

  4. In the Input Field drop-down, enter or select the name of the column from the input table that has to be parsed.

  5. In the Regex field, enter the expression for the pattern which has to be parsed from the messages.

  6. Click Run to view the result.

  7. Click Save to add the operator to the playbook.

  8. Click Cancel to discard the operator form.

Usage Details

LQL Command

regex(table:TableReference, inputField: ColumnReference, regex:String, columns: String?)

Input

  • table (TableReference): The table to apply an operator

  • inputField (ColumnReference): The name of the column from the input table that has to be parsed

  • regex (String): Regex for the pattern which has to be parsed from the messages.

  • columns (String): Optional field to pass comma-separated column names which will get generated. If this field is not passed then column names generated will decide automatically.

Output
A table (parsed fields, original_message) is returned.

Example

Input = Create_Custom_Data

Create_Custom_Data contains the following data:

event_time_epoch

source_ip

event_category

username

event_time_epoch

source_ip

event_category

username

1610469824546

1.2.3.4

UserLoginSuccess

John

1610469824892

3.3.3.3

UserLoginFailed

Sam

LQL Command

regex(Create_Custom_Data, $.event_category, "User(.*?)", "RegexData")

Note

The **User(.*?) ** is a regular expression that expects the pattern to match the entire line.
For example, when you use 'User(.*?)' in the input table event_category, which is written as 'UserLoginSuccess', this data will be created in a new column 'RegexData' as 'LoginSuccess' in the output table.

Output

event_category

event_time_epoch

source_ip

username

RegexData

event_category

event_time_epoch

source_ip

username

RegexData

UserLoginSuccess

1610469824546

1.2.3.4

John

LoginSuccess

UserLoginFailed

1610469824892

3.3.3.3

Sam

LoginFailed