Splitting Using Runtime Field / Scripting Field

ksaimohan2k · June 20, 2023, 11:10am

In one of the alerts, in the field host.ip, I am seeing a bunch of IP addresses. So I want to create a scripted or runtime field where I want to split each IP address and place them in a new field like host.ip1 and host.ip2.

Below is the code I used it to split, but it's showing "value not set" . Can anyone let me know the issue

def ipList = doc['host.ip'].value;
def parts = /,/.split(ipList);
if (parts.length > 0) {
  return parts[0];
} else {
  return;
}

Below is the sample Field for reference

host.ip: ["fe80::7bc0:29c:eb66:5bc4", "192.167.101.229", "fe80::1049:a9ce:a62g:6656", "192.167.180.4"]

jughosta · July 10, 2023, 9:19am

Hi @ksaimohan2k,

For scripted fields the correct syntax is to use simply return statement.
But for runtime fields make sure to wrap the result into emit(...). For example:

if (parts.length > 0) {
  emit(parts[0]);
}

ksaimohan2k · July 10, 2023, 10:25am

Thank You @jughosta.

system · August 7, 2023, 10:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.