|
Description |
If event matches Condition break FieldName into FieldNameList using Delimiter. |
|
|
|
|
Comments |
If there are more fields than there are field names in FieldNameList, then the last field name will contain the remainder of the line. If there are fewer fields than there are field names in FieldNameList, then the remaining fields will be the empty string (""). If FieldName, FieldNameList or Delimiter is non-existent, do nothing. Example : input = " A b d e f g" delimiter = "\s" (Whitespace) fieldNameList = f1, f2, f3, f4, f5 f1 = "", f2 = "A", f3 = "b" f4 = "d", f5 = "e f g" |
Note: normally the Delimiter parameter is used to specify a direct string match, but if “\s” is used a consecutive sequence of whitespace characters is matched.
<filter objectId="Filter.BreakLine" type="BreakLineFilter"> <parameter type="Condition"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>Any</conditionRelation> </parameter> <parameter type="FieldName">ev:msg</parameter> <parameter type="FieldNameList"> <fieldName>ev:protocol</fieldName> <!-0 to N of these --> <fieldName>ev:header</fieldName> </parameter> <parameter type="Delimiter">\s</parameter> </filter>