Split and get last value in field

rodney_vdw · May 6, 2020, 8:54am

Morning…

I have a string field that is comma separated, the amount of commas can vary.
A
A, B
A, B, C
A, B, C, D

I would like to split and create a new field with the LAST value only, so from the above the new field value would be

A
B
C
D

I assume i would use a pipeline for this but functions like [-1] do not seem to work. Any ideas?

Something like

rule “split-abc”
when
has_field(“testfield”)
then
let abc_orig = to_string($message.testfield);
let abc = split(",\s*", abc_orig);

// and here the wheels fall off the bus [-1] does gives a processing error.
set_field(“a_abc”, abc[-1]);
end

tmacgbay · May 6, 2020, 8:22pm

You could GROK it with:

,%{WORD:the_letter_D}$

Where the $ is regex EOL.

rodney_vdw · May 7, 2020, 8:33am

well that was easier than expected! appreciate the input - works great (and without the pipeline)

cawfehman · May 7, 2020, 4:45pm

worth pointing out, without seeing the exact string you are extracting against, but based on your post, the exact GROK pattern posted will fail against a message with a single value as there is no , to match the pattern.

just a heads up.

Topic		Replies	Views
Pipeline - Split and Extract Graylog Central (peer support)	6	3375	February 23, 2018
Split function usage Graylog Central (peer support)	2	1450	April 12, 2018
Removing all comma(,) in a field Graylog Central (peer support)	3	3013	February 12, 2018
Pull integer from string Graylog Central (peer support)	10	2061	December 17, 2021
Split comma separated message Graylog Central (peer support)	2	791	July 1, 2019

Split and get last value in field

Related topics