Extract Substring action

This action extracts one or more substrings from an input field using a regex. Then it copies the substrings to the output fields, in order.

  • Input field

    The field to search.

  • Regex capture groups

    The regex to apply to the input field.

  • Output fields

    Copy the extracted substrings to these fields, in order.

Example

One of your event streams has source fields that are formatted as follows:

  • country code, 2 characters

  • data-center code, 2 characters

  • device name, 4 characters

You want to store this information in separate tags. You add an Extract Strings action to your workflow and format it as follows:

  • Input field = source

  • Regex capture groups = (\w{2})(\w{2})-(.*)

  • Output fields:

    • location.country

    • location.datacenter

    • tags.devicename

Event before

Event after

{
   "description":"cpu load > 90%",
   "severity": 5,
   "source":"ussf-sw99",
   "check":"cpu",
   "service":[ "custLogin"],
}

{
   "description":"cpu load > 90%",
   "severity": 5,
   "source":"ussf-sw99",
   "check":"cpu",
   "service":[ "custLogin"],
    "location": {
        "country": "us",
        "datacenter" : "sf"
    },
    "tags": {
        "devicename": "sw99"
    },
}