Parse delimiters: arguments for the $delim() function

By default, when a parse function is executed, the returned text is delimited by a trailing space character. This behavior can be changed by nesting the parse function in the $delim() function discussed previously. This permits other delimiters (besides a space) to denote the end of the parsed string. The $delim() function is previously discussed in this section; a description of the delimiter flags that can be used as the first argument of the $delim() function is provided as follows:

Delimiter

Description

space

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by a space. This is the default delimiter (hence this flag is included as a delimiter option mainly for completeness).

Example

$delim(space, parse-spec)

comma

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next comma character, or end of line.

Example

$delim(comma, parse-spec)

colon

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next colon (:) character, or end of line.

Example

$delim(colon, parse-spec)

semi

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next semi-colon character (;), or end of line.

Example

$delim(semi, parse-spec)

pipe

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next pipe character (|) or the end of line.

Example

$delim(pipe, parse-spec)

dash

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next hyphen character (-) or end of line.

Note

dash here refers to the hyphen character (also referred to as the short dash character) and not the long dash (also referred to as the double dash character.)

Example

$delim(dash, parse-spec)

amp

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next ampersand character (&) or end of line.

Example

$delim(amp, parse-spec)

plus

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next plus character (+) or end of line.

Example

$delim(plus, parse-spec)

hash

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next hash character (#) or end of line.

Example

$delim(hash, parse-spec)

atsign

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next at sign character (@) or end of line.

Example

$delim(atsign, parse-spec)

pct

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next percent character (%) or end of line.

Example

$delim(space, parse-spec)

punct

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the punctuation character, where any punctuation character including the preceding ones, can delimit the return value.

Example

$delim(space, parse-spec)

sp-dash

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next space character followed by a hyphen character (- ). The space dash combination of characters is used extensively in message context to delimit fields such as AAA - BBB - CCC, hence this special type of delimiter might be used frequently when parsing Windows agent (and other) messages.

Example

$delim(sp-dash, parse-spec)

bquote

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the next double quoted string. The second double quote mark in the string can delimit the value (and the value is returned with the balanced quote marks removed).

Example

$delim(bquote, parse-spec)

cef

This delimiter, used as the first argument of the $delim() function, can delimit the returned parsed value by the start of the next CEF style field, where the CEF field is in the form label=value. The string preceding the next field is returned. If CEF is used, the parse function is quite useful (since CEF is notoriously hard to parse by any sort of program).

Examples
  • A=111 222 B=222 333. The parse function $delim(cef, "A=*") returns 111 222. This type of parse function might occur frequently when parsing CEF style messages (but otherwise is probably not useful to operators).
  • $delim(space, parse-spec)

eol

This delimiter, used as the first argument of the $delim() function, delimits the returned parsed value by the end of line. This is only useful when the text that is targeted is delimited by the end of line and not some other delimiter.

Example

$delim(eol, parse-spec)

These delimiters provide a large amount of flexibility when parsing strings, especially when a string is to include multiple blank spaces (as might be the case for a variety of fields contained in messages). Any parsed string is returned with spaces replaced with underscores. The maximum size of any returned value is 100 characters.

Related topic

Parse-expressions


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*