text
Len
The len subcommand is used to get the length of a string in bytes. This means that for utf-8 encoded strings containin non-ascii characters, the result may not be what you expect.
| eval len=len(<expression>)
Lower
The lower subcommand converts all uppercase letters in a string to lowercase.
| eval lower=lower(<expression>)
Upper
The upper subcommand converts all lowercase letters in a string to uppercase.
| eval upper=upper(<expression>)
Trim
The trim subcommand removes leading and trailing whitespace from a string.
| eval trimmed=trim(<expression>)
Concatenate
The concatenate subcommand concatenates two or more strings into one, you can optionally specify a delimiter to be inserted between the strings with the sep="val" argument.
| eval abc=concat("a", "b" , "c")
| eval a_b=concat("a", "b" , sep="_")
LStrip
The lstrip subcommand removes all characters matching a pattern from the left side of a string until it encounters a character not in the pattern.
NOTE: The order of the characers in the pattern does not matter, only that they are present in the string.
| eval stripped=lstrip(<value expression>, <pattern expression>)
Example removing with a the field foo containing the following value abcFoocba
| eval stripped=lstrip(foo, "abc")
The result will be Foocba.
RStrip
The rstrip subcommand removes all characters matching a pattern from the right side of a string until it encounters a character not in the pattern.
NOTE: The order of the characers in the pattern does not matter, only that they are present in the string.
| eval stripped=rstrip(<value expression>, <pattern expression>)
Example removing with a the field foo containing the following value abcFoocba
| eval stripped=rstrip(foo, "abc")
The result will be abcFoo.
Strip
The strip subcommand removes all characters matching a pattern from the either side of a string until it encounters a character not in the pattern.
NOTE: The order of the characers in the pattern does not matter, only that they are present in the string.
| eval stripped=strip(<value expression>, <pattern expression>)
Example removing with a the field foo containing the following value abcFoocba
| eval stripped=strip(foo, "abc")
The result will be Foo.
Split
The split subcommand will split a string into an array of substrings based on a delimiter.
| eval split=split(<value expression>, <delimiter expression>)
For example splitting up components of an FQDN:
| eval split=split("www.google.com", ".")
This will return a multivalue field with the following values ["www","google","com"].
SubStr
The substr subcommand returns a substring of a string based on a start and end index.
| eval sub=substr(<value expression>, <start index>, <end index>)
For example extracting foo from foobar:
| eval sub=substr("foobar", 0, 3)
Replace
The replace subcommand performs a find and replace on a string.
| eval edited=replace(<value expression>, <find expression>, <replace expression>)
For example replacing foo with bar in the value foobar resulting in barbar:
| eval edited=replace("foobar", "foo", "bar")