Parse delimiters
By default, when a parse function is executed, the returned text is delimited by a trailing space character. You can change this behavior by nesting the parse function in the $delim() function. This permits delimiters other than a space to denote the end of the parsed string.
The delimiters provide a large amount of flexibility when parsing strings, especially when a string includes multiple blank spaces, as might be the case for a variety of fields contained in messages. A parsed string replaces spaces with underscore characters.
The maximum size of any returned value is 100 characters.
The following table describes the delimiter flags that you can use as the first argument of the $delim() functions:
Delimiter | Description | Parse expression |
|---|---|---|
space | Delimits the returned parsed value by a space This is the default delimiter (hence this flag is included as a delimiter option mainly for completeness). | $delim (space, parse-spec) |
comma | Delimits the returned parsed value by the next comma character or the end of line | $delim (comma, parse-spec) |
colon | Delimits the returned parsed value by the next colon (:) character or the end of line | $delim (colon, parse-spec) |
semi | Delimits the returned parsed value by the next semi-colon character (;) or the end of line | $delim (semi, parse-spec) |
pipe | Delimits the returned parsed value by the next pipe character (|) or the end of line | $delim (pipe, parse-spec) |
dash | Delimits the returned parsed value by the next hyphen character (-) or the end of line The dash is a hyphen character (also referred to as the short dash character) and not a long dash (also referred to as the double dash character). | $delim (dash, parse-spec) |
amp | Delimits the returned parsed value by the next ampersand character (&) or the end of line | $delim (amp, parse-spec) |
plus | Delimits the returned parsed value by the next plus character (+) or the end of line | $delim (plus, parse-spec) |
hash | Delimits the returned parsed value by the next hash character (#) or the end of line | $delim (hash, parse-spec) |
atsign | Delimits the returned parsed value by the next at sign character (@) or end of line | $delim (atsign, parse-spec) |
pct | Delimits the returned parsed value by the next percent character (%) or the end of line | $delim (space, parse-spec) |
punct | Delimits the returned parsed value by the punctuation character, where any punctuation character including the preceding ones, can delimit the return value | $delim (space, parse-spec) |
sp-dash | Delimits the returned parsed value by the next space character followed by a hyphen character (-) The space-dash combination of characters is used extensively in messages to delimit fields such as AAA - BBB - CCC. This special type of delimiter might be used frequently when parsing Windows agent (and other) messages. | $delim (sp-dash, parse-spec) |
bquote | Delimits the returned parsed value by the next double-quoted string The second double quotation mark in the string can delimit the value, and the value is returned with the balanced quotation marks removed. The balanced quotation mark, or bquote, includes the closing character for the following pairs: "",//,(),[],{},<>. | $delim (bquote, parse-spec) |
cef | Delimits the returned parsed value by the start of the next CEF-style field, where the CEF field is in the form label=value The string preceding the next field is returned. If CEF is used, the parse function is quite useful (because CEF is extremely difficult to parse by any sort of program). | $delim (space, parse-spec) |
eol | Delimits the returned parsed value by the end of line This is useful only when the text that is targeted is delimited by the end of line and not some other delimiter. | $delim (eol, parse-spec) |
Related topic