Morning…

I have a string field that is comma separated, the amount of commas can vary.
A
A, B
A, B, C
A, B, C, D

I would like to split and create a new field with the LAST value only, so from the above the new field value would be

A
B
C
D

I assume i would use a pipeline for this but functions like [-1] do not seem to work. Any ideas?

Something like

rule “split-abc”
when
has_field(“testfield”)
then
let abc_orig = to_string($message.testfield);
let abc = split(",\s*", abc_orig);

// and here the wheels fall off the bus [-1] does gives a processing error.
set_field(“a_abc”, abc[-1]);
end

You could GROK it with:

,%{WORD:the_letter_D}$

Where the $ is regex EOL.

well that was easier than expected! appreciate the input - works great (and without the pipeline)

worth pointing out, without seeing the exact string you are extracting against, but based on your post, the exact GROK pattern posted will fail against a message with a single value as there is no , to match the pattern.

just a heads up.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.