split

Split a single field into multiple fields around matches of the given regular expression argument. The transform accepts a single input and can create multiple outputs. The regular expression delimiter must be defined as the argument

  • single input
  • multiple outputs
  • default output fieldname: “split”
  • argument is a regular expression

The Engine API uses the Java regular expression implementation. For more information about features and compatibility see http://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html

Example

Derive the host and port fields from host_port in the sample CSV log below

datetime,            host_port,      ...
2015-03-31 11:30:00, localhost:9200, ...
2015-03-31 11:30:00, localhost:8000, ...

The regular expression delimiter is “:” so the split transform definition is

"transforms" : [
    {
        "transform":"split",
        "inputs":["host_port"],
        "arguments":[":"],
        "outputs":["host", "port"]
    }
]

The newly created host and port fields can be used as input to another transform or in the analysis.