text
Subcommands
| Subcommand | Description | Syntax |
|---|---|---|
len | Gets the length of a string in unicode graphemes | len(<expr>) |
blen | Gets the length of a string in bytes | blen(<expr>) |
clen | Gets the length of a string in characters | clen(<expr>) |
lower | Converts all uppercase letters in a string to lowercase | lower(<expr>) |
upper | Converts all lowercase letters in a string to uppercase | upper(<expr>) |
trim | Removes leading and trailing whitespace from a string | trim(<expr>) |
lstrip | Removes all characters matching a pattern from the left side of a string | lstrip(<expr>, <expr>) |
rstrip | Removes all characters matching a pattern from the right side of a string | rstrip(<expr>, <expr>) |
strip | Removes all characters matching a pattern from either side of a string | strip(<expr>, <expr>) |
entropy | Calculates the Shannon entropy of a string | entropy(<expr>) |
regex | Applies a regular expression to a string, returning all non-overlapping matches in order | regex(<expr>, /pattern/) |
tokenize | Splits a string into tokens using whitespace as the default delimiter | tokenize(<expr>) |
jsonfield | Extracts a field from a JSON string using a dot-notation path | jsonfield(<expr>, <expr>) |
split | Splits a string into an array of substrings based on a delimiter | split(<expr>, <expr>) |
join | Joins an array of strings into a single string using a delimiter | join(<expr>, ...) |
substr | Returns a substring of a string based on a start and end index | substr(<expr>, <expr>, <expr>) |
replace | Performs a find and replace on a string | replace(<expr>, <expr>, <expr>) |
Examples
len
For a field string containing hello, this example sets len to 5 (the number of Unicode graphemes):
| eval len=len(string)
blen
For a field string containing hello, this example sets blen to 5 (bytes for ASCII characters):
| eval blen=blen(string)
clen
For a field string containing hello, this example sets clen to 5 (characters):
| eval clen=clen(string)
lower
For a field text containing HELLO WORLD, this example sets lower to hello world:
| eval lower=lower(text)
upper
For a field text containing hello world, this example sets upper to HELLO WORLD:
| eval upper=upper(text)
trim
For a field text containing hello world , this example sets trimmed to hello world:
| eval trimmed=trim(text)
entropy
For a field data containing aaaa, this example calculates the Shannon entropy which will be close to 0 due to high redundancy:
| eval entropy=entropy(data)
regex
For a field log containing 123-456-789, this example extracts all digit sequences into numbers:
| eval numbers=regex(log, /\d+/)
tokenize
For a field sentence containing foo bar baz, this example splits on whitespace and stores tokens in tokens:
| eval tokens=tokenize(sentence)
jsonfield
For a field json containing {"name":"John","age":30}, this example extracts the name using dot notation:
| eval name=jsonfield(json, "name")
lstrip
For a field text containing abcFoocba, this example removes leading abc characters and sets stripped to Foocba:
| eval stripped=lstrip(text, "abc")
rstrip
For a field text containing abcFoocba, this example removes trailing abc characters and sets stripped to abcFoo:
| eval stripped=rstrip(text, "abc")
strip
For a field text containing abcFoocba, this example removes both leading and trailing abc characters and sets stripped to Foo:
| eval stripped=strip(text, "abc")
split
For a string www.example.com being split on ., this example creates a multivalue field result containing ["www", "example", "com"]:
| eval result=split("www.example.com", ".")
join
For fields tokens containing ["Hello", "World"] and delimiter " ", this example joins them into a single string stored in joined:
| eval joined=join(tokens, " ")
substr
For a string foobar, this example extracts 3 characters starting at index 0 and stores the result foo in sub:
| eval sub=substr("foobar", 0, 3)
replace
For a string foobar, this example replaces foo with bar resulting in barbar stored in edited:
| eval edited=replace("foobar", "foo", "bar")