Skip to main content

Extract Substring action

Available for event, alert, and incident workflows

This action extracts one or more substrings from an input field using a regex. It then copies the substrings to the output fields, in the original order. Note that this action operates on a single string value, not on individual values in an array.

This action is useful for data fields with consistent formats that can be defined in a regex. For data fields that delineate their values using a consistent character string, such as : or :: you can use the Split action.

This action takes the following inputs:

  • Input field

    The field to search.

  • Regex capture groups

    The regex to apply to the input field. All regex entered here must be enclosed in parentheses, or else the expression will not be parsed. For example, if you want to match the string "test", you should use the following regex: (test)

    NOTE: If you are processing fields that contain newline characters, be sure to start your regex expression with (?s).

    For example, if your regex is (\w{2})(\w{2})-(.*), you should use (?s)(\w{2})(\w{2})-(.*) if your data contains newline characters.

  • Output fields

    Copy the extracted substrings to these fields, in order.

    NOTE: Be sure to include an output field for each of your capture groups. If you have three capture groups, include three output fields.

Event example

Extract substring works the same way for both incidents and events as it splits apart a string value in a field and outputs the new substrings to alternate fields.

In this example, the data includes source fields which contain a single string formatted as follows:

  • country code, 2 characters

  • data center code, 2 characters

  • device name, 4 characters

To store this information in separate tags, you can add an Extract Substrings action to your workflow and format it as follows:

  • Input field = source

  • Regex capture groups = (\w{2})(\w{2})-(.*)

  • Output fields:

    • location.country

    • location.datacenter

    • tags.devicename

An example event:

Event fields before

Event fields after

{
   "description":"cpu load > 90%",
   "severity": 5,
   "source":"ussf-sw99",
   "check":"cpu",
   "service":[ "custLogin"],
}
{
   "description":"cpu load > 90%",
   "severity": 5,
   "source":"ussf-sw99",
   "check":"cpu",
   "service":[ "custLogin"],
    "location": {
        "country": "us",
        "datacenter" : "sf"
    },
    "tags": {
        "devicename": "sw99"
    },
}

Alert example

In this example, a workflow uses the Extract Substring action to search the description field of an alert and extract the source IP address. The IP address is then stored in a relevant tag for later use.

  • Input Field: description

  • Regex Capture Groups: \b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b

  • Output Field(s): tags.sourceip

Alert fields before

Alert fields after

{
 ...
     "description": "Server Health Alert: Connection Issue Detected from IP 192.168.2.20",
 ...
     "tags": {
        "integration_type": [
           "eventapi"
           ],
      },
 ...
}
{
 ...
     "description": "Server Health Alert: Connection Issue Detected from IP 192.168.2.20",
 ...
     "tags": {
        "integration_type": [
           "eventapi"
           ],
        "sourceip": "192.168.2.20"
      },
 ...
}

Incident example

In this example, a workflow uses the Extract Substring action to search the description field of an incident and pull out server names that are in a known, predictable format.

All of the servers are part of the example.com domain, so the regex pattern used is (\w*.example.com).

  • Input Field: description

  • Regex Capture Groups: (\w*.example.com)

  • Output Field(s): tags.one, tags.two, tags.three

Incident fields before

Incident fields after

{
 ...
     "description": "4 Source: server1.example.com, server2.example.com, server3.example.com ... Affected retail, support Compute ",
 ...
     "tags": {
        "integration_type": [
           "eventapi"
           ],
      },
 ...
}
{
 ...
   "description": "4 Source: server1.example.com, server2.example.com, server3.example.com ... Affected retail, support Compute ",
 ...
    "tags": {
       "one": [
          "server1.example.com"
          ],
       "integration_type": [
          "eventapi"
          ],
       "two": [
          "server2.example.com"
          ],
       "three": [
          "server3.example.com"
          ]
 ...
}