Moogsoft Docs

searchAndReplace

A Workflow Engine function that matches a regular expression to an object field and updates the values for fields in the object based upon a map. You can map the contents of subgroups to other fields. For example, extract the 'source' value inside a description and map it to the source field. You can also map fields to a constant value.

This function is available for event, alert, enrichment, and Situation workflows.

The workflow sweep up filter applies to this function.

Back to Workflow Engine Functions Reference.

Arguments

Workflow Engine function searchAndReplace takes the following arguments:

Name

Required

Type

Description

field

Yes

String

Field to search.

expression

Yes

String

Regular expression pattern test against the field.

map

Yes

Object

Map to apply the extracted values to as a key: value pairing using $extract.n, where n = the subgroup identified.

For example: { "custom_info.newValue" : "$extract.1", "source" : "$extract.2" }

Example

The following example demonstrates typical use of Workflow Engine function searchAndReplace. You can check for an IP address, and a value of "memory" or "disk" in the object's description field. When the Workflow Engine finds a match, it maps the following fields:

  • source to the matching IP address: ((?:\\d+\\.){3}\\d+).

  • class to the matching value of "memory" or "disk": (memory|disk).

  • custom_info.support team to the constant "NOC".

Configure the function as follows:

  • field: description

  • expression: ^.+?((?:\d+\.){3}\d+).+?(memory|disk).+?$

  • map: {"source":"$extract.1","class":"$extract.2","custom_info.support_team":"NOC"}

The UI translates your settings to the following JSON:

{"field":"description",
"expression":"^.+?((?:\\d+\\.){3}\\d+).+?(memory|disk).+?$",
"map":{"source":"$extract.1","class":"$extract.2","custom_info.support_team":"NOC"}}

Note

The code display for the Workflow Engine double-escapes characters. You do not need to double-escape in the data entry field. For example the IP address: "((?:\d+\.){3}\d+)".

When you have nested subgroups, as in the example with the IP address, they do not affect the extract numbering.

An object with the following description matches the regular expression test:

"description": "Host 198.51.100.0 high memory utilization on mytestbox.example.com"

The Workflow Engine updates the object fields as follows:

"source": "198.51.100.0",
"custom_info": {"support_team": "NOC"},
"class": "memory"