Skip to main content

String Operations

len

Description: Takes a string as input and returns its length.

In the example, res will have the value 3, and res1 will have the value 2.

Example #1
... | eval res=len("foo"), res1=len(12)

lower

Description: Takes a string as input and returns it in lowercase.

In the example, res will have the value "foo", and res1 will have the value "foo".

Example #1
... | eval res=lower("FOO"), res1=lower("foO")

ltrim

Description: Takes a string and a pattern to look for, removing the pattern from the left side of the string.

In the example, res will have the value "abcZZ ".

Example #1
... | eval x=ltrim(" ZZZZabcZZ ", " Z")

replace

Description: Takes a string, a pattern to find, and a replacement value, replacing all occurrences of the pattern.

In the example, res had the value "hello wolrd", but after the command, res will have the value "GoodBye wolrd".

Example #1
... | eval res=replace(res,"hello","GoodBye")

rtrim

Description: Takes a string and a pattern to look for, removing the pattern from the right side of the string.

In the example, res will have the value " ZZZZabcZ".

Example #1
... | eval x=rtrim(" ZZZZabcZZ ", "Z ")

spath

Description: Searches through a JSON string and returns the value of a specified parameter.

Example #1
... | eval res=spath(raw_event, "sourcetype")

substr

Description: Takes a string, a start position (optional), and an end position, and returns the corresponding substring.

In the example, res will have the value "string".

Example #1
... | eval res=(substr("string", 1, 3) + substr("string", -3))

trim

Description: Takes a string and a pattern to find, and removes the pattern from the string.

In the example, res will have the value "abc".

Example #1
... | eval res=trim(" ZZZZabcZZ ", " Z")

upper

Description: Takes a string as input and returns it in uppercase.

In the example, res will have the value "FOO", and res1 will have the value "FOO".

Example #1
... | eval res=upper("FOO"), res1=upper("foO")

urldecode

Description: Takes a URL-encoded string and returns it in a readable format.

In the example, res will have the value https://saf-systems.com/download?r=header**.**.

Example #1
... | eval res=urldecode("httsp%3A%2F%2Fsaf-systems.com%2Fdownload%3Fr%3Dheader")