Split regexp (splitre)
- Juan Tomás Alonso Nieto (Deactivated)
- Sarah Bigault (Deactivated)
- Former user (Deleted)
Description
Splits a string by a given regular expression and returns only the selected piece (counting from 0).
How does it work in the search window?
Select Create field in the search window toolbar, then select the Split regexp operation. You need to specify three arguments:
Argument | Data type |
|---|---|
Split mandatory | string |
by regexp mandatory | regexp |
and return piece mandatory | integer |
The data type of the values in the new field is string.
Example
In the siem.logtrust.web.activity table, we want to create a new field, having used the to string argument to convert the eventdate column to string. We need to use the part of the string that comes after the third : ocurrence as separator and return only the first piece of each value. For example, in the event value 24/Jun/2019:07:25:52 +0000 the separator will be :52, so the value returned will be24/Jun/2019:07:25. To do this, we will create a new column using the Split regexp operation.
The arguments needed to create the new field are:
Split regexp - eventdate_string column
by regexp - Click the pencil icon and enter :.. +
and return piece - Click the pencil icon and enter 0 (remember the count starts as 0)
Click Create field.
How does it work in LINQ?
Use the operator select... as... and add the operation syntax to create the new column. This is the syntax for the Split regexp operation:
splitre(string, re(string), piece_integer)splitre(string, regexp, piece_integer)
Example
You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity table.Â
from siem.logtrust.web.activity
select str(eventdate) as eventdate_string,
splitre(eventdate_string, re(":.. +"), 0) as split_eventdate