|
| 1 | +--- |
| 2 | +layout: default |
| 3 | +title: substringBeforeLast() |
| 4 | +parent: Functions |
| 5 | +grand_parent: Pipelines |
| 6 | +nav_order: 90 |
| 7 | +--- |
| 8 | + |
| 9 | +# substringBeforeLast() |
| 10 | + |
| 11 | +The `substringBeforeLast()` function is used to extract the portion of a string that precedes the last occurrence of a specified delimiter. It takes two arguments: |
| 12 | + |
| 13 | +1. The first argument is either a literal string or a JSON pointer that represents the source string. |
| 14 | + |
| 15 | +1. The second argument is the delimiter string to search for within the first argument. |
| 16 | + |
| 17 | +If the delimiter is found, the function returns the portion of the string before the last occurrence of the delimiter. If the delimiter is not found, the original string is returned. If the source resolves to `null`, the function returns `null`. If the delimiter is `null` or empty, the original string is returned. |
| 18 | + |
| 19 | +For example, to remove the file extension from a filename field, use the `substringBeforeLast()` function as follows: |
| 20 | + |
| 21 | +``` |
| 22 | +'substringBeforeLast(/filename, ".")' |
| 23 | +``` |
| 24 | +{% include copy.html %} |
| 25 | + |
| 26 | +If the `/filename` field contains `archive.tar.gz`, the function returns `archive.tar`. |
| 27 | + |
| 28 | +Alternatively, you can use a literal string as the first argument: |
| 29 | + |
| 30 | +``` |
| 31 | +'substringBeforeLast("one-two-three", "-")' |
| 32 | +``` |
| 33 | +{% include copy.html %} |
| 34 | + |
| 35 | +The function returns `one-two` because it extracts the portion of the string before the last `-` character. |
| 36 | + |
| 37 | +The `substringBeforeLast()` function performs a case-sensitive search. |
| 38 | +{: .note} |
| 39 | + |
| 40 | +## Example |
| 41 | + |
| 42 | +The following pipeline uses the `substringBeforeLast()` function to extract the directory path from a full file path. It adds the extracted directory path as a new field called `directory`: |
| 43 | + |
| 44 | +```yaml |
| 45 | +substring-before-last-demo: |
| 46 | + source: |
| 47 | + http: |
| 48 | + ssl: false |
| 49 | + |
| 50 | + processor: |
| 51 | + - add_entries: |
| 52 | + entries: |
| 53 | + - key: directory |
| 54 | + value_expression: 'substringBeforeLast(/filepath, "/")' |
| 55 | + |
| 56 | + sink: |
| 57 | + - opensearch: |
| 58 | + hosts: ["https://opensearch:9200"] |
| 59 | + insecure: true |
| 60 | + username: admin |
| 61 | + password: admin_password |
| 62 | + index_type: custom |
| 63 | + index: demo-index-%{yyyy.MM.dd} |
| 64 | +``` |
| 65 | +{% include copy.html %} |
| 66 | +
|
| 67 | +You can test the pipeline using the following command: |
| 68 | +
|
| 69 | +```bash |
| 70 | +curl -sS -X POST "http://localhost:2021/log/ingest" \ |
| 71 | + -H "Content-Type: application/json" \ |
| 72 | + -d '[ |
| 73 | + {"filepath":"/var/log/syslog"}, |
| 74 | + {"filepath":"/home/user/docs/report.pdf"} |
| 75 | + ]' |
| 76 | +``` |
| 77 | +{% include copy.html %} |
| 78 | + |
| 79 | +The documents stored in OpenSearch contain the following information: |
| 80 | + |
| 81 | +```json |
| 82 | +{ |
| 83 | + ... |
| 84 | + "hits": { |
| 85 | + "total": { |
| 86 | + "value": 2, |
| 87 | + "relation": "eq" |
| 88 | + }, |
| 89 | + "max_score": 1, |
| 90 | + "hits": [ |
| 91 | + { |
| 92 | + "_index": "demo-index-2026.03.13", |
| 93 | + "_id": "abc123", |
| 94 | + "_score": 1, |
| 95 | + "_source": { |
| 96 | + "filepath": "/var/log/syslog", |
| 97 | + "directory": "/var/log" |
| 98 | + } |
| 99 | + }, |
| 100 | + { |
| 101 | + "_index": "demo-index-2026.03.13", |
| 102 | + "_id": "def456", |
| 103 | + "_score": 1, |
| 104 | + "_source": { |
| 105 | + "filepath": "/home/user/docs/report.pdf", |
| 106 | + "directory": "/home/user/docs" |
| 107 | + } |
| 108 | + } |
| 109 | + ] |
| 110 | + } |
| 111 | +} |
| 112 | +``` |
0 commit comments