Split and get last value in field

rodney_vdw · May 6, 2020, 8:54am

Morning…

I have a string field that is comma separated, the amount of commas can vary.
A
A, B
A, B, C
A, B, C, D

I would like to split and create a new field with the LAST value only, so from the above the new field value would be

A
B
C
D

I assume i would use a pipeline for this but functions like [-1] do not seem to work. Any ideas?

Something like

rule “split-abc”
when
has_field(“testfield”)
then
let abc_orig = to_string($message.testfield);
let abc = split(",\s*", abc_orig);

// and here the wheels fall off the bus [-1] does gives a processing error.
set_field(“a_abc”, abc[-1]);
end

tmacgbay · May 7, 2020, 8:33am

You could GROK it with:

,%{WORD:the_letter_D}$

Where the $ is regex EOL.

rodney_vdw · May 7, 2020, 8:33am

well that was easier than expected! appreciate the input - works great (and without the pipeline)

cawfehman · May 7, 2020, 4:45pm

worth pointing out, without seeing the exact string you are extracting against, but based on your post, the exact GROK pattern posted will fail against a message with a single value as there is no , to match the pattern.

just a heads up.

system · May 21, 2020, 4:46pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.