Merge Related Fields Filter

Definition

Description

If event matches Condition merge all fields whose name contains String into FieldName and separate the values by Delimiter.

Comments

If either String or FieldName are missing, blank or invalid, do nothing.

Field name comparisons using String are case-sensitive.

Field values are concatenated in the order in which they appear inside the event.

If Delimiter is empty, invalid, or non-existent the field values will be concatenated together with no separator.

Newline ('\n') and space are legal delimiters.

Example:
%String% = "ev:set"
%FieldName% = "ev:msg"
Delimiter = "|"

Event before:
ev:set = "value1"
ev:set2 = "value2"
ev:setField = "value3"
setField = "value4"
ev:misc = "miscellaneous"

Event after:
ev:set = "value1"
ev:set2 = "value2"
ev:setField = "value3"
setField = "value4"
ev:misc = "miscellaneous"
ev:msg = "value1|value2|value3"

Example

<filter objectId="MergeReleated.one" type="MergeRelatedFieldsFilter">
	<parameter type="Condition">
		<negatePrimaryCondition>false</negatePrimaryCondition>
		<conditionRelation>Any</conditionRelation>
		<conditionSpec> <!—changed name from “condition” -->
			<negate>false</negate>
			<fieldName>ev:host</fieldName>
			<operator>neq</operator>
			<valueType>string</valueType>
			<value>HOST_INVALID</value>
		</conditionSpec>
	</parameter>
	<parameter type="String">host</parameter>
	<parameter type="FieldName">ev:msg</parameter>
	<parameter type="Delimiter">:</parameter>
</filter>