Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

text

Subcommands

SubcommandDescriptionSyntax
lenGets the length of a string in unicode graphemeslen(<expr>)
blenGets the length of a string in bytesblen(<expr>)
clenGets the length of a string in charactersclen(<expr>)
lowerConverts all uppercase letters in a string to lowercaselower(<expr>)
upperConverts all lowercase letters in a string to uppercaseupper(<expr>)
trimRemoves leading and trailing whitespace from a stringtrim(<expr>)
lstripRemoves all characters matching a pattern from the left side of a stringlstrip(<expr>, <expr>)
rstripRemoves all characters matching a pattern from the right side of a stringrstrip(<expr>, <expr>)
stripRemoves all characters matching a pattern from either side of a stringstrip(<expr>, <expr>)
entropyCalculates the Shannon entropy of a stringentropy(<expr>)
tokenizeSplits a string into tokens using whitespace as the default delimitertokenize(<expr>)
jsonfieldExtracts a field from a JSON string using a dot-notation pathjsonfield(<expr>, <expr>)
splitSplits a string into an array of substrings based on a delimitersplit(<expr>, <expr>)
joinJoins an array of strings into a single string using a delimiterjoin(<expr>, ...)
substrReturns a substring of a string based on a start and end indexsubstr(<expr>, <expr>, <expr>)
replacePerforms a find and replace on a stringreplace(<expr>, <expr>, <expr>)

Examples

len

| eval len=len(<expr>)

blen

| eval blen=blen(<expr>)

clen

| eval clen=clen(<expr>)

lower

| eval lower=lower(<expr>)

upper

| eval upper=upper(<expr>)

trim

| eval trimmed=trim(<expr>)

lstrip

Example removing with a the field foo containing the following value abcFoocba:

| eval stripped=lstrip(foo, "abc")

The result will be Foocba.

rstrip

Example removing with a the field foo containing the following value abcFoocba:

| eval stripped=rstrip(foo, "abc")

The result will be abcFoo.

strip

Example removing with a the field foo containing the following value abcFoocba:

| eval stripped=strip(foo, "abc")

The result will be Foo.

entropy

| eval entropy=entropy(<expr>)

tokenize

| eval tokens=tokenize(<expr>)

jsonfield

| eval value=jsonfield(<expr>, <path>)

split

For example splitting up components of an FQDN:

| eval split=split("www.example.com", ".")

This will return a multivalue field with the following values ["www","example","com"].

join

| eval joined=join(<expression 1>, <expression N..> , <delimiter expression>)

substr

For example extracting foo from foobar:

| eval sub=substr("foobar", 0, 3)

replace

For example replacing foo with bar in the value foobar resulting in barbar:

| eval edited=replace("foobar", "foo", "bar")