Skip to main content
Version: 5.0

String Operations

len

Description: Takes a string as input and returns its length.

In the example, res will have the value 3, and res1 will have the value 2.

Example #1
... | eval res=len("foo"), res1=len(12)

lower

Description: Takes a string as input and returns it in lowercase.

In the example, res will have the value "foo", and res1 will have the value "foo".

Example #1
... | eval res=lower("FOO"), res1=lower("foO")

ltrim

Description: Takes a string and a pattern to look for, removing the pattern from the left side of the string.

In the example, res will have the value abcZZ.

Example #1
... | eval x=ltrim(" ZZZZabcZZ ", " Z")

replace

Description: Takes a string, a pattern to find, and a replacement value, replacing all occurrences of the pattern.

In the example, res had the value hello wolrd, but after the command, res will have the value GoodBye wolrd.

Example #1
... | eval res=replace(res,"hello","GoodBye")

rtrim

Description: Takes a string and a pattern to look for, removing the pattern from the right side of the string.

In the example, res will have the value "ZZZZabc".

Example #1
... | eval x=rtrim("ZZZZabcZZ", "Z")

spath

Description: Searches through a JSON string and returns the value of a specified parameter.

Example #1
... | eval res=spath(raw_event, "sourcetype")

substr

Description: Takes a string, a start position (optional), and an end position, and returns the corresponding substring.

In the example, res will have the value string.

Example #1
... | eval res=(substr("string", 1, 3) + substr("string", -3))

trim

Description: Takes a string and a pattern to find, and removes the pattern from the string.

In the example, res will have the value abc.

Example #1
... | eval res=trim(" ZZZZabcZZ ", " Z")

upper

Description: Takes a string as input and returns it in uppercase.

In the example, res will have the value FOO, and res1 will have the value FOO.

Example #1
... | eval res=upper("FOO"), res1=upper("foO")

urldecode

Description: Takes a URL-encoded string and returns it in a readable format.

In the example, res will have the value https://saf-systems.com/download?r=header.

Example #1
... | eval res=urldecode("httsp%3A%2F%2Fsaf-systems.com%2Fdownload%3Fr%3Dheader")

urlencode

Description: Encodes a string for use in a URL by replacing special characters with their escape sequences. This is the inverse operation of urldecode.

In the example, res will be assigned the value httsp%3A%2F%2Fsaf-systems.com%2Fdownload%3Fr%3Dheade.

Example #1
... | eval res=urlencode("https://saf-systems.com/download?r=header")