Extract Substring action
Available for event, alert, and incident workflows |
This action extracts one or more substrings from an input field using a regex. It then copies the substrings to the output fields, in the original order. Note that this action operates on a single string value, not on individual values in an array.
This action is useful for data fields with consistent formats that can be defined in a regex. For data fields that delineate their values using a consistent character string, such as : or :: you can use the Split action.
This action takes the following inputs:
Input field
The field to search.
Regex capture groups
The regex to apply to the input field. All regex entered here must be enclosed in parentheses, or else the expression will not be parsed. For example, if you want to match the string "test", you should use the following regex:
(test)NOTE: If you are processing fields that contain newline characters, be sure to start your regex expression with
(?s).For example, if your regex is
(\w{2})(\w{2})-(.*), you should use(?s)(\w{2})(\w{2})-(.*)if your data contains newline characters.Output fields
Copy the extracted substrings to these fields, in order.
NOTE: Be sure to include an output field for each of your capture groups. If you have three capture groups, include three output fields.
Event example
Extract substring works the same way for both incidents and events as it splits apart a string value in a field and outputs the new substrings to alternate fields.
In this example, the data includes source fields which contain a single string formatted as follows:
country code, 2 characters
data center code, 2 characters
device name, 4 characters
To store this information in separate tags, you can add an Extract Substrings action to your workflow and format it as follows:
Input field =
sourceRegex capture groups =
(\w{2})(\w{2})-(.*)Output fields:
location.countrylocation.datacentertags.devicename
An example event:
Event fields before | Event fields after |
|---|---|
{
"description":"cpu load > 90%",
"severity": 5,
"source":"ussf-sw99",
"check":"cpu",
"service":[ "custLogin"],
}
| {
"description":"cpu load > 90%",
"severity": 5,
"source":"ussf-sw99",
"check":"cpu",
"service":[ "custLogin"],
"location": {
"country": "us",
"datacenter" : "sf"
},
"tags": {
"devicename": "sw99"
},
} |
Alert example
In this example, a workflow uses the Extract Substring action to search the description field of an alert and extract the source IP address. The IP address is then stored in a relevant tag for later use.
Input Field:
descriptionRegex Capture Groups:
\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\bOutput Field(s):
tags.sourceip
Alert fields before | Alert fields after |
|---|---|
{
...
"description": "Server Health Alert: Connection Issue Detected from IP 192.168.2.20",
...
"tags": {
"integration_type": [
"eventapi"
],
},
...
} | {
...
"description": "Server Health Alert: Connection Issue Detected from IP 192.168.2.20",
...
"tags": {
"integration_type": [
"eventapi"
],
"sourceip": "192.168.2.20"
},
...
} |
Incident example
In this example, a workflow uses the Extract Substring action to search the description field of an incident and pull out server names that are in a known, predictable format.
All of the servers are part of the example.com domain, so the regex pattern used is (\w*.example.com).
Input Field:
descriptionRegex Capture Groups:
(\w*.example.com)Output Field(s):
tags.one,tags.two,tags.three
Incident fields before | Incident fields after |
|---|---|
{
...
"description": "4 Source: server1.example.com, server2.example.com, server3.example.com ... Affected retail, support Compute ",
...
"tags": {
"integration_type": [
"eventapi"
],
},
...
} | {
...
"description": "4 Source: server1.example.com, server2.example.com, server3.example.com ... Affected retail, support Compute ",
...
"tags": {
"one": [
"server1.example.com"
],
"integration_type": [
"eventapi"
],
"two": [
"server2.example.com"
],
"three": [
"server3.example.com"
]
...
} |