topic Re: Need to split string with variable number of fields in All Apps and Add-ons

Need to split string with variable number of fields

jagdeepgupta813 — Tue, 29 Sep 2020 15:36:17 GMT

Hi ,

I have a string like this "details=[ A_0B_0N_0Z_0AB_0AU_0CA_0]^"
I need to split the above string by '_' where left side would be a field name and right would be a value. Final requirement is to display all the fileds which has value =10 .
Note: The string might have one or many such field/value combination

Thanks in Advance.

Re: Need to split string with variable number of fields

ddrillic — Sat, 02 Sep 2017 02:33:19 GMT

Do you mean that the fields/values in the example are - A=0, B=0, N=0, Z=0, etc.?

Re: Need to split string with variable number of fields

niketn — Sat, 02 Sep 2017 05:02:34 GMT

@jagdeepgupta813, following is a run any where search based on the data provided. First two pipes here are to mock up provided data. Please try out and confirm if this is what you are looking for.

|  makeresults
|  eval _raw="details=[ A_10B_20N_30Z_40AB_50AU_60CA_70]^"
|  rex field=_raw "details=\[\s(?<details>[^\]]+)\]\^"
|  rex field=details "(?<field>[^_]+)?_(?<value>\d+)" max_match=0
|  eval details=mvzip(field,value)
|  table details
|  mvexpand details
|  eval details=split(details,",")
|  eval field=mvindex(details,0)
|  eval value=mvindex(details,1)
|  fields - details

PS: Since in the data example details is a key value pair i.e. "details=", if details field is available during search time you will also not need first rex on your _raw data. You would need to confirm this as this could boost search performance.

Re: Need to split string with variable number of fields

woodcock — Sun, 03 Sep 2017 21:58:28 GMT

Like this:

| makeresults
| eval _raw="details=[ A_0B_0N_0Z_0AB_0AU_0CA_0]^"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex max_match=0 mode=sed "s/([^_]+)_(\d+)/\1=\2,/g"
| kv