Substring in splunk

Substring in splunk DEFAULT

String manipulation

concat(values)

Combines string values. This function accepts a variable number of arguments.

Function Input
values: collection<string>
Function Output
string

1. SPL2 example

Returns Jane A Smith in the field.

When working in the SPL View, you can write the function by using the following syntax.

...| eval host=concat("Jane", " ", "A", " ", "Smith");

2. SPL2 example

Prepends "asa_" to the value of "source_type".

When working in the SPL View, you can write the function by using the following syntax.

...| eval source_type=concat("asa_", "source_type");

3. SPL2 example

Alternatively, you can use named arguments.

...| eval host=concat(values: ["Jane", " ", "A", " ", "Smith"]);

Extracts matching groups with a Grok-compatible pattern and returns a map of group names to matching groups when the pattern is matched against the input. It returns null if the input is null or the pattern is invalid.

Function Input
input: string
pattern: string
Function Output
map<string, string>

SPL2 examples

Returns "IPV4": "10.10.10.10" in .

When working in the SPL View, you can write the function by using the following syntax.

... | eval ip_address=extract_grok("FOO 10.10.10.10 BAR", "%{IPV4}");

Alternatively, you can use named arguments to list the arguments in any order.

... | eval ip_address=extract_grok(pattern: "%{IPV4}", input: "FOO 10.10.10.10 BAR");

Extracts the key-value pairs and returns a map of the key-value pairs. The keys and values are separated with a key value delimiter, and pairs are separated with a pair delimiter. It returns null if the input is null or the key value delimiter is null or empty.

Function Input
input: string
key_value_delimiter: string
pair_delimiter: string
Function Output
map<string, string>

1. SPL2 example

Returns {"key1":"value1","key2":"value2","key3":"value3"}.

When working in the SPL View, you can write the function by using the following syntax.

| eval n=extract_key_value("key1=value1;key2=value2;key3=value3", "=", ";");

2. SPL2 example

Extracts key-value pairs from body.

When working in the SPL View, you can write the function by using the following syntax.

...| eval extracted_body=extract_key_value(cast(body, "string"), "=", " ");

3. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order.

| eval n=extract_key_value(key_value_delimiter: "=", pair_delimiter: ";", input: "key1=value1;key2=value2;key3=value3");

Extracts capturing groups from inputs with regular expressions and returns a map of all extracted, matched fields in the format: . If you do not name the capturing group, the group names are returned as "1", "2", "3", "N", etc. For example, extract_regex with the regex returns a map with the key host whose value is the value of the extracted capture group. For a non-named capture group, extract_regex with the regex will return a map with key 1 whose value is the value of the extracted capture group. To name your capturing group, start your regular expression pattern with , as shown in the SPL2 examples. Use this function if you want your extracted data to be nested in a single field.

Function Input
input: string
pattern: regular expression pattern
Function Output
map<string, string>

1. SPL2 example

Extracts ASA-x-xxxxxx values from the body field using a named capturing group.

When working in the SPL View, you can write the function by using the following syntax.

...| eval asa=extract_regex(cast(body, "string"), /(?<ASA>ASA-\d-\d{6})/i);

2. SPL2 example

Extracts a six digit number from and places that value in the field .

When working in the SPL View, you can write the function by using the following syntax.

...| select extract_regex(to_string(value), /\d{6}/) AS numbers;

3. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order.

...| eval asa=extract_regex(pattern: /(?<ASA>ASA-\d-\d{6})/i, input: cast(body, "string"));

len(str)

Returns the character length of a string .

Function Input
str: string
Function Output
integer

SPL2 examples

Filters records by character limit.

When working in the SPL View, you can write the function by using the following syntax.

...| where 6=len(source);

Alternatively, you can use named arguments.

...| where 6=len(str: source);

lower(str)

Converts a string to lowercase.

Function Input
str: string
Function Output
string

SPL2 examples

Filters records by source .

When working in the SPL View, you can write the function by using the following syntax.

...| where source=lower("BAR");

Alternatively, you can use named arguments.

...| where source=lower(str: "BAR");

ltrim(str, strip_chars)

This function takes two arguments. The required argument is , a string. This function also takes an optional argument , also a string. This function returns either with whitespaces removed from the left side or with the characters in trimmed from the left side.

Function Input
str: string
(Optional) strip_chars: string
Function Output
string

1. SPL2 example

Returns "abcZZ ".

When working in the SPL View, you can write the function by using the following syntax.

...| eval n=ltrim(" ZZZZabcZZ ", " Z");

2. SPL2 example

Returns "abc ".

When working in the SPL View, you can write the function by using the following syntax.

...| eval n=ltrim(" abc ");

3. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order.

...| eval n=ltrim(strip_chars: " Z", str: " ZZZZabcZZ ");

match_regex(input, pattern)

Checks if a string field contains a specified string using a regular expression pattern. Since this function takes a regular expression as input, you need to enclose the pattern argument in . Returns true if the regular expression finds a match in the input string, otherwise returns false.

If you want to do a string match and your input contains a lot of special characters that require special escaping, consider using the match_wildcard function instead.

The function does a substring match by default. In order to do a full string match, you must use the regular expression anchors and .

Function Input
input: string
pattern: regular expression
Function Output
boolean

1. SPL2 example

Filters records that contain an ASA number in .

When working in the SPL View, you can write the function by using the following syntax.

...| where match_regex(cast(body, "string"), /%ASA-\d-\d{6}/);

Alternatively, you can use named arguments to list the arguments in any order.

...| where match_regex(pattern: /%ASA-\d-\d{6}/, input: cast(body, "string"));

2. SPL2 example

Assume that your data contains and . Returns true for but not .

When working in the SPL View, you can write the function by using the following syntax.

...| eval n = match_regex(cast(body, "string"), /a.c/);

3. SPL2 example

Returns true.

When working in the SPL View, you can write the function by using the following syntax.

... | eval n = match_regex("myPay", /Pay/);

4. SPL2 example

Returns false.

When working in the SPL View, you can write the function by using the following syntax.

... | eval n = match_regex("myPay", /^Pay/);

match_wildcard(input, pattern)

Checks if a string field contains a specified substring without using regular expressions, except for the wildcard character . Returns true if the substring has been found, otherwise returns false.

The function is a convenience function for the commonly used regular expression pattern . When you use , characters aside from that are normally considered to be special characters in a regular expression are automatically escaped. Therefore, use when your input has a large number of special characters that would normally need special escaping.

The function always does a substring match. If you want to do a full string match, use with anchors instead.

Function Input
input: string
pattern: string
Function Output
boolean

1. SPL2 example

Returns true in when is anywhere in the field.

When working in the SPL View, you can write the function by using the following syntax.

...| eval sensitive_info=match_wildcard(cast(body, "string"), "Credit");

Alternatively, you can use named arguments to list the arguments in any order.

...| eval sensitive_info=match_wildcard(pattern: "Credit", input: cast(body, "string"));

2. SPL2 example

Assume that your data contains and . Returns true for both and .

When working in the SPL View, you can write the function by using the following syntax.

... | eval n=match_wildcard(cast(body, "string"), a*c);

3. SPL2 example

Returns true when the strings are found in the field.

When working in the SPL View, you can write the function by using the following syntax.

...| eval n=match_wildcard(cast(body, "string"), "switched from * to *");

4. SPL2 example

Returns false, because the anchor and pattern are treated as the literal string characters and . Note that the backslash character is a special character in SPL2, and therefore needs to be explicitly escaped in order for the pipeline to validate.

When working in the SPL View, you can write the function by using the following syntax.

... | eval n=match_wildcard("event5", "^event\\d");

replace(str, pattern, rep)

This function returns a string formed by substituting string for every occurrence of regex string in string . The third argument can also reference groups that are matched in the regex.

Function Input
str: string
pattern: regular expression pattern
rep: string
Function Output
string

1. SPL2 example

Returns the field with phone numbers redacted.

When working in the SPL View, you can write the function by using the following syntax.

...| eval body=replace(cast(body, "string"), /[0-9]{3}[-.][0-9]{3}[-.][0-9]{4}/, "<redacted>");

2. SPL2 example

This example uses a capture group to format the replacement string. The result "foobar" is placed in a new top-level field called .

When working in the SPL View, you can write the function by using the following syntax.

... | eval newfield=replace("bar", /(bar)/, "foo$1");

3. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order.

...| eval body=replace(str: cast(body, "string"), rep: "<redacted>", pattern: /[0-9]{3}[-.][0-9]{3}[-.][0-9]{4}/);

rtrim(str, strip_chars)

This function takes two arguments. The required argument is , a string. This function also takes an optional argument , also a string. This function returns either with whitespaces removed from the right side or with the characters in trimmed from the right side.

Function Input
str: string
(Optional) strip-chars: string
Function Output
string

1. SPL2 example

Returns " ZZZZabc".

When working in the SPL View, you can write the function by using the following syntax.

... | eval n=rtrim(" ZZZZabcZZ", " Z");

2. SPL2 example

Returns " abc".

When working in the SPL View, you can write the function by using the following syntax.

... | eval n= rtrim(" abc ");

3. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order.

... | eval n=rtrim(strip_chars: " Z", str: " ZZZZabcZZ");

spath(input, path)

For documentation on the spath function, see spath.

substr(str, start, length)

This function takes three arguments. The required arguments are , a string, and , an integer. This function also takes an optional argument , also an integer. This function returns a substring of , starting at the index specified by with the number of characters specified by .

Function Input
str: string
start: integer
(Optional) length: integer
Function Output
string

SPL2 examples

Returns "foo".

When working in the SPL View, you can write the function by using the following syntax.

...| eval n=substr("foobar", 1, 3);

Alternatively, you can use named arguments to list the arguments in any order.

...| eval n=substr(str: "foobar", length: 3, start: 1);

trim(str, strip_chars)

This function takes two arguments. The required argument is , a string. This function also takes an optional argument , also a string. This function returns either with whitespaces removed from both sides or with the characters in trimmed from both sides.

Function Input
str: string
(Optional) strip_chars: string
Function Output
string

1. SPL2 example

Returns "abc".

When working in the SPL View, you can write the function by using the following syntax.

...| eval n=trim(" ZZZZabcZZ ", " Z");

2. SPL2 example

Returns "abc".

When working in the SPL View, you can write the function by using the following syntax.

...| eval n=trim(" abc ");

3. SPL2 example

Alternatively, you can use named arguments to list the arguments in any order.

...| eval n=trim(strip_chars: "Z", str: " ZZZZabcZZ ");

upper(str)

Converts a string to uppercase.

Function Input
str: string
Function Output
string

SPL2 examples

Returns USERNAME.

When working in the SPL View, you can write the function by using the following syntax.

...| eval n=upper(username);

Alternatively, you can use named arguments.

...| eval n=upper(str: username);

url_decode(str)

Takes a URL string and returns the unescaped or decoded URL string.

Function Input
str: string
Function Output
string

SPL2 examples

Returns http://www.splunk.com/download?r=header.

When working in the SPL View, you can write the function by using the following syntax.

url_decode("http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader");

Alternatively, you can use named arguments.

...| eval n=url_decode(str: "http%3A%2F%2Fwww.splunk.com%2Fdownload%3Fr%3Dheader");

url_encode(str)

Encodes a string for the query string parameters in a URL. Use this function when you want to include user-supplied string data in a URL.

Function Input
str: string
Function Output
string

SPL2 examples

Filters records by Jane+A+Smith.

When working in the SPL View, you can write the function by using the following syntax.

| where "Jane+A+Smith"=url_encode("Jane A Smith");

Alternatively, you can use named arguments.

| where "Jane+A+Smith"=url_encode(str: "Jane A Smith");
Sours: https://docs.splunk.com/Documentation/DSP/1.2.1/FunctionReference/Stringmanipulation

Text functions

The following list contains the functions that you can use with string values.

For information about using string and numeric fields in functions, and nesting functions, see Overview of SPL2 eval functions.

len(<str>)

This function returns the character length of a string.

Usage

The argument can be the name of a string field or a string literal.

You can use this function with the and commands, in the WHERE clause of the command, and as part of evaluation expressions with other commands.

To use named arguments, you must specify the argument name before the argument value. For example:

Basic example

This example returns the character length of the values in the field for each result.

lower(<str>)

This function returns a string in lowercase.

Usage

The argument can be the name of a string field or a string literal.

You can use this function with the and commands, in the WHERE clause of the command, and as part of evaluation expressions with other commands.

To use named arguments, you must specify the argument name before the argument value. For example:

Basic example

The following example returns the values in the field in lowercase.

ltrim(<str>,<trim_chars>)

This function removes the trim characters from the left side of the string.

Usage

The argument can be the name of a string field or a string literal.

You can use this function with the and commands, in the WHERE clause of the command, and as part of evaluation expressions with other commands.

The argument is optional. If not specified, spaces and tabs are removed from the left side of the string.

To use named arguments, you must specify the argument name before the argument value. For example:

Basic example

The following example trims the leading spaces and all of the occurrences of the letter Z from the left side of the string. The value returned is .

replace(<str>,<regex>,<replacement>)

This function substitutes the replacement string for every occurrence of the regular expression in the string.

Usage

The argument can be the name of a string field or a string literal.

The argument can also reference groups that are matched in the .

You can use this function with the and commands, in the WHERE clause of the command, and as part of evaluation expressions with other commands.

To replace a backslash ( \ ) character, you must escape the backslash twice. This is because the function occurs inside an eval expression. The eval expression perform one level of escaping before passing the regular expression to PCRE. Then PCRE performs its own escaping.

To use named arguments, you must specify the argument name before the argument value. For example:

Basic example

The following example returns date, with the month and day numbers switched. If the input is 1/14/2020 the return value would be 14/1/2020.

rtrim(<str>,<trim_chars>)

This function removes the trim characters from the right side of the string.

Usage

The argument can be the name of a string field or a string literal.

You can use this function with the and commands, in the WHERE clause of the command, and as part of evaluation expressions with other commands.

The argument is optional. If not specified, spaces and tabs are removed from the right side of the string.

To use named arguments, you must specify the argument name before the argument value. For example:

Basic example

The following example trims the leading spaces and all of the occurrences of the letter Z from the right side of the string. The value returned is .

spath(<value>,<path>)

Use this function to extract information from the structured data formats XML and JSON.

Usage

You can use this function with the and commands, in the WHERE clause of the command, and as part of evaluation expressions with other commands.

The is an input source field.

The is an spath expression for the location path to the value that you want to extract from.

  • If is a literal string, you need to enclose the string in double quotation marks.
  • If is a field name, with values that are the location paths, the field name doesn't need quotation marks. Using a field name for might result in a multivalue field.

To use named arguments, you must specify the argument names before the argument values. For example:

Basic example

The following example returns the values of elements from the field..


The following example returns the hashtags from a twitter event.

substr(<str>,<start>,<length>)

This function returns a substring of a string, beginning at the start index. The length of the substring specifies the number of character to return.

Usage

The argument can be the name of a string field or a string literal.

The indexes follow SQLite semantics; they start at 1. Negative indexes can be used to indicate a start from the end of the string.

You can use this function with the and commands, in the WHERE clause of the command, and as part of evaluation expressions with other commands.

The is optional, and if not specified returns the rest of the string.

To use named arguments, you must specify the argument names before the argument values. For example:

Basic example

The following example concatenates the first 3 letters in the word with the last 3 letters in the word :

The result is the word .

trim(<str>,<trim_chars>)

This function removes the trim characters from both sides of the string.

Usage

The argument can be the name of a string field or a string literal.

You can use this function with the and commands, in the WHERE clause of the command, and as part of evaluation expressions with other commands.

The argument is optional. If not specified, spaces and tabs are removed from both sides of the string.

To use named arguments, you must specify the argument name before the argument value. For example:

Basic example

The following example trims the leading spaces and all of the occurrences of the letter Z from the left and right sides of the string. The value returned is .

upper(<str>)

This function returns a string in uppercase.

Usage

The argument can be the name of a string field or a string literal.

You can use this function with the and commands, in the WHERE clause of the command, and as part of evaluation expressions with other commands.

To use named arguments, you must specify the argument name before the argument value. For example:

Basic example

The following example returns the values in the field in uppercase.

urldecode(<url>)

This function takes a URL string and returns the unescaped or decoded URL string.

Usage

The argument can be the name of a string field or a string literal.

You can use this function with the and commands, in the WHERE clause of the command, and as part of evaluation expressions with other commands.

To use named arguments, you must specify the argument name before the argument value. For example:

Basic example

The following example returns "http://www.splunk.com/download?r=header".

Sours: https://docs.splunk.com/Documentation/SCS/current/SearchReference/TextFunctions
  1. Adopt me new ocean pets
  2. Milford bulk pickup
  3. Rumble seat music
  4. Leviton lighted switch
  5. Alien anime girl

String manipulation

concat(values)

Combines string values. This function accepts a variable number of arguments.

Function Input
values: collection<string>
Function Output
string

1. Canvas example: Combine string values

Configure an Eval function to combine three string values. This example returns in the field.

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

2. Canvas example: Prepend a string to another string

Configure an Eval function to prepend to the value of "source_type".

The Eval function is configured as follows.

  • Function:

Extracts matching groups with a Grok-compatible pattern and returns a map of group names to matching groups when the pattern is matched against the input. It returns null if the input is null or the pattern is invalid.

Function Input
input: string
pattern: string
Function Output
map<string, string>

Canvas example: Use a Grok pattern to find and extract IPV4 addresses

Configure an Eval function to use a Grok-pattern to find and extract IPV4 addresses. This example returns "IPV4": "10.10.10.10" in .

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

Extracts the key-value pairs and returns a map of the key-value pairs. The keys and values are separated with a key value delimiter, and pairs are separated with a pair delimiter. It returns null if the input is null or the key value delimiter is null or empty.

Function Input
input: string
key_value_delimiter: string
pair_delimiter: string
Function Output
map<string, string>

Configure an Eval function to extract key-value pairs from the input. This example returns .

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

2. Canvas example: Extract key-value pairs from body

Configure an Eval function to extract key-value pairs from body.

The Eval function is configured as follows.

  • Function:

Extracts capturing groups from inputs with regular expressions and returns a map of all extracted, matched fields in the format: . If you do not name the capturing group, the group names are returned as "1", "2", "3", "N", etc. For example, extract_regex with the regex returns a map with the key host whose value is the value of the extracted capture group. For a non-named capture group, extract_regex with the regex will return a map with key 1 whose value is the value of the extracted capture group.

To name your capturing group, start your regular expression pattern with , as shown in the examples. Use this function if you want your extracted data to be nested in a single field.

Function Input
input: string
pattern: regular expression pattern
Function Output
map<string, string>

1. Canvas example: Extract specific values from the body field using a named capture group

Configure an Eval function to extract ASA-x-xxxxxx values from the body field using a named capturing group.

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

Configure an Eval function to extract a six digit number from and place that value in the field .

The Eval function is configured as follows.

  • Function:

len(str)

Returns the character length of a string .

Function Input
str: string
Function Output
integer

Canvas example: Filter records by a character limit

Configure a Where function to filter records by character limit.

The Where function is configured as follows.

  • Predicate:

Alternatively, you can use named arguments to list the arguments in any order and the Where function is configured as follows.

  • Predicate:

lower(str)

Converts a string to lowercase.

Function Input
str: string
Function Output
string

Canvas example: Filter records by lowercase

Configure a Where function to filter records by source .

The Where function is configured as follows.

  • Predicate:

Alternatively, you can use named arguments to list the arguments in any order and the Where function is configured as follows.

  • Predicate:

ltrim(str, strip_chars)

This function takes two arguments. The required argument is , a string. This function also takes an optional argument , also a string. This function returns either with whitespaces removed from the left side or with the characters in trimmed from the left side.

Function Input
str: string
(Optional) strip_chars: string
Function Output
string

Configure an Eval function to trim the extra characters from the left side of a string. This example returns .

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

Configure an Eval function to trim the extra space characters from the left side of a string. This example returns .

The Eval function is configured as follows.

  • Function:

match_regex(input, pattern)

Checks if a string field contains a specified string using a regular expression pattern. Since this function takes a regular expression as input, you need to enclose the pattern argument in . If your regular expression pattern is stored as a string type instead of a regular expression type, use this function with the to_regex function. Returns true if the regular expression finds a match in the input string, otherwise returns false.

If you want to do a string match and your input contains a lot of special characters that require special escaping, consider using the match_wildcard function instead.

The function does a substring match by default. In order to do a full string match, you must use the regular expression anchors and .

Function Input
input: string
pattern: regular expression
Function Output
boolean

1. Canvas example: Use a regular expression to filter records that contain an ASA number

Configure a Where function to filter records that contain an ASA number in .

The Where function is configured as follows.

  • Predicate:

Alternatively, you can use named arguments to list the arguments in any order and the Where function is configured as follows.

  • Predicate:

2. Canvas example: Use a regular expression to filter records that match a specific pattern

Configure an Eval function to use a regular expression to filter records that match the pattern . Assume that your data contains both and . This example returns true for but not .

The Eval function is configured as follows.

  • Function:

3. Canvas example: Use a regular expression to match a pattern

Configure an Eval function to match a pattern. This example returns true.

The Eval function is configured as follows.

  • Function:

4. Canvas example: Use a regular expression to match a pattern

Configure an Eval function to match a pattern. This example returns false.

The Eval function is configured as follows.

  • Function:

5. Canvas example: Use a regular expression to match a pattern

Configure an Eval function to match a pattern. This example returns true or false depending on if the field begins with the text .

The Eval function is configured as follows.

  • Function:

match_wildcard(input, pattern)

Checks if a string field contains a specified substring without using regular expressions, except for the wildcard character . Returns true if the substring has been found, otherwise returns false.

The function is a convenience function for the commonly used regular expression pattern . When you use , characters aside from that are normally considered to be special characters in a regular expression are automatically escaped. Therefore, use when your input has a large number of special characters that would normally need special escaping.

The function always does a substring match. If you want to do a full string match, use with anchors instead.

Function Input
input: string
pattern: string
Function Output
boolean

1. Canvas example: Determine if a specific substring is present in a field

Configure an Eval function to determine if a specific substring is present in the a field. This example returns true in when is anywhere in the field.

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

2. Canvas example: Use a wildcard to determine if a string pattern is present in a field

Configure an Eval function to determine if string pattern is present in a field. Assume that your data contains and . This example returns true for both and .

The Eval function is configured as follows.

  • Function:

3. Canvas example: Use multiple wildcards to determine if a string pattern is present in a field

Configure an Eval function to determine if a more complex string pattern is present in a field. This example returns true when the strings are found in the field.

The Eval function is configured as follows.

  • Function:

4. Canvas example: Determine if a specific substring is present in a field

Configure an Eval function to determine if a specific substring is present in the a field.This example returns false, because the anchor and pattern are treated as the literal string characters and . Note that the backslash character is a special character, and therefore needs to be explicitly escaped in order for the pipeline to validate.

The Eval function is configured as follows.

  • Function:

replace(str, pattern, rep)

This function returns a string formed by substituting string for every occurrence of regex string in string . The third argument can also reference groups that are matched in the regex.

Function Input
str: string
pattern: regular expression pattern
rep: string
Function Output
string

1. Canvas example: Find a string and substitute the original string with a new string

Configure an Eval function to find specific strings matching a regular expression and substitute them with a new string. This example returns the field with phone numbers replaced with the text .

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

2. Canvas example: Use a capture group to format a replacement string

Configure an Eval function to use a capture group to format the replacement string. This example places the result in a new top-level field called .

The Eval function is configured as follows.

  • Function:

rtrim(str, strip_chars)

This function takes two arguments. The required argument is , a string. This function also takes an optional argument , also a string. This function returns either with whitespaces removed from the right side or with the characters in trimmed from the right side.

Function Input
str: string
(Optional) strip-chars: string
Function Output
string

Configure an Eval function to trim the extra characters from the right side of a string. This example returns " ZZZZabc".

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

Configure an Eval function to trim the extra space characters from the right side of a string. This example returns .

The Eval function is configured as follows.

  • Function:

spath(input, path)

For documentation on the spath function, see spath.

substr(str, start, length)

This function takes three arguments. The required arguments are , a string, and , an integer. This function also takes an optional argument , also an integer. This function returns a substring of , starting at the index specified by with the number of characters specified by .

Function Input
str: string
start: integer
(Optional) length: integer
Function Output
string

Canvas example: Return the first three characters of a string

Configure an Eval function to return the first three characters of a string. This example returns .

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

trim(str, strip_chars)

This function takes two arguments. The required argument is , a string. This function also takes an optional argument , also a string. This function returns either with whitespaces removed from both sides or with the characters in trimmed from both sides.

Function Input
str: string
(Optional) strip_chars: string
Function Output
string

1. Canvas example: Trim extra characters from the left and right side of a string

Configure an Eval function to trim the extra characters from the left and right side of a string. This example returns .

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

2. Canvas example: Trim the extra spaces from the left and right side of a string

Configure an Eval function to trim the extra space characters from the left and right side of a string. This example returns returns "abc".

The Eval function is configured as follows.

  • Function:

upper(str)

Converts a string to uppercase.

Function Input
str: string
Function Output
string

Canvas example: Convert a string to uppercase

Configure an Eval function to convert a string to uppercase. This example returns .

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

url_decode(str)

Takes a URL string and returns the unescaped or decoded URL string.

Function Input
str: string
Function Output
string

Canvas example: Decode an escaped URL string

Configure an Eval function to decode an escaped URL string. This example returns .

The Eval function is configured as follows.

  • Function:

Alternatively, you can use named arguments to list the arguments in any order and the Eval function is configured as follows.

  • Function:

url_encode(str)

Encodes a string for the query string parameters in a URL. Use this function when you want to include user-supplied string data in a URL.

Function Input
str: string
Function Output
string

Canvas example: URL encode user supplied string data

Configure a Where function to filter records by Jane+A+Smith.

The Where function is configured as follows.

  • Predicate:

Alternatively, you can use named arguments to list the arguments in any order and the Where function is configured as follows.

  • Predicate:
Sours: https://docs.splunk.com/Documentation/StreamProcessor/standard/FunctionReference/Stringmanipulation
Splunk Education: Saving and Sharing Searches

Text functions

The following list contains the functions that you can use with string values.

For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.

len(X)

Description

This function returns the character length of a string X.

Usage

You can use this function with the , , and commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

Suppose you have a set of results that looks something like this:

_time names
2020-01-09 16:35:14 buttercup
2020-01-09 16:35:14 rarity
2020-01-09 16:35:14 tenderhoof
2020-01-09 16:35:14 dash
2020-01-09 16:35:14 mistmane

You can determine the length of the values in the field using the function:


The results show a count of the character length of the values in the field:

_time length names
2020-01-09 16:35:14 9 buttercup
2020-01-09 16:35:14 6 rarity
2020-01-09 16:35:14 10 tenderhoof
2020-01-09 16:35:14 4 dash
2020-01-09 16:35:14 8 mistmane

lower(X)

Description

This function takes one string argument and returns the string in lowercase.

Usage

You can use this function with the , , and commands, and as part of eval expressions.

You can use this function on multivalue fields.

Basic example

The following example returns the value provided by the field in lowercase.

ltrim(X,Y)

Description

This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the left side. If Y is not specified, spaces and tabs are removed.

Usage

You can use this function with the , , and commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example trims the leading spaces and all of the occurrences of the letter Z from the left side of the string. The value that is returned is x="abcZZ ".

replace(X,Y,Z)

Description

This function returns a string formed by substituting string Z for every occurrence of regex string Y in string X. The third argument Z can also reference groups that are matched in the regex.

Usage

You can use this function with the , , and commands, and as part of eval expressions.

This function is not supported on multivalue fields.

To replace a backslash ( \ ) character, you must escape the backslash twice. This is because the function occurs inside an eval expression. The eval expression perform one level of escaping before passing the regular expression to PCRE. Then PCRE performs its own escaping. See SPL and regular expressions.

Basic example

The following example returns date, with the month and day numbers switched. If the input is 1/14/2017 the return value would be 14/1/2017.

rtrim(X,Y)

Description

This function takes one or two arguments X and Y, and returns X with the characters in Y trimmed from the right side. If Y is not specified, spaces and tabs are removed.

Usage

You can use this function with the , , and commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example returns .

spath(X,Y)

Description

This function takes two arguments, an input source field X and an spath expression Y, that is the XML or JSON formatted location path to the value that you want to extract from X.

Usage

You can use this function with the , , and commands, and as part of eval expressions.

This function is not supported on multivalue fields.

If Y is a literal string, it needs quotes, . If Y is a field name (with values that are the location paths), it doesn't need quotes. This might result in a multivalued field. Read more about the command.

Basic example

The following example returns the values of locDesc elements.


The following example returns the hashtags from a twitter event.

substr(X,Y,Z)

Description

This function takes either two or three arguments. The required arguments are X, a string, and Y, a numeric. Z is optional and a numeric. This function returns a substring of X, starting at the index specified by Y with the number of characters specified by Z. If Z is not provided, the function returns the rest of the string.

Usage

The indexes follow SQLite semantics; they start at 1. Negative indexes can be used to indicate a start from the end of the string.

You can use this function with the , , and commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example concatenates "str" and "ing" together, returning "string":

trim(X,Y)

Description

This function takes one or two arguments X and Y and returns X with the characters in Y trimmed from both sides. If Y is not specified, spaces and tabs are removed.

Usage

You can use this function with the , , and commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example returns "abc".

upper(X)

Description

This function takes one string argument and returns the string in uppercase.

Usage

You can use this function with the , , and commands, and as part of eval expressions.

You can use this function on multivalue fields.

Basic example

The following example returns the value provided by the field in uppercase.

urldecode(X)

Description

This function takes one URL string argument X and returns the unescaped or decoded URL string.

Usage

You can use this function with the , , and commands, and as part of eval expressions.

This function is not supported on multivalue fields.

Basic example

The following example returns "http://www.splunk.com/download?r=header".

Sours: https://docs.splunk.com/Documentation/Splunk/8.2.2/SearchReference/TextFunctions

Splunk substring in

We patted her approvingly, after which she knelt down and I pushed my friends over to her. The guys came up with dicks at the ready and Rita, wasting no time, began to suck. She wrapped her arms around each and took them alternately in her mouth. If I were in her place, the guys would have thrust two dicks into my mouth at once, but I asked them to be more modest with my friend.

Splunk Commands : \

My heart was pounding at a breakneck speed, I was on fire. I carefully, trying not to disturb, jumped Ksyusha and rushed into the kitchen. What have I done - I sat and smoked, pondering everything that had happened. I returned to the scene to hide all traces of the crime and saw her lying on her chest, and her ass rose. And seemed to beckon me to penetrate her.

You will also like:

Tavern, unlike my wife, who went there to take a break from everyday life - with these thoughts I went into the apartment with Nastya. The water was still rustling in the bathroom: Look how diligently it is washed - for some reason I thought not much evil. Nastya went to the nursery to see what the children were doing, I sat down at the table and poured cognac.



2887 2888 2889 2890 2891