Any suggestions for the best function to use if I need to pull out a substring (a key=value pair to be exact) from my _raw, and put it at the beginning of the event?
In summary, trying to go from:raw=,<my_KV_pair>, to:raw=<my_KV_pair>,
Page 1 / 1
Use the Mask function, make it three parts, the stuff before your target, the part youre targeting, everything after. If your _raw has multiple lines, be sure to check the ‘s flag.
Match: (first part)(middle part)(last part)
Replace: g3+g1+g2
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.