Substring
Learn about the Substring OTTL converter function.
2 minute read
The substring converter extracts part of a string using starting point and length character counts.
Syntax: Substring(target, start, length)
- target: The location of the target containing the string.
- start: The starting character count for the extraction.
- length: The number of characters to extract.
Input
{
"_type": "log",
"timestamp": 1735871592016,
"body": "{\"opcode\": 2, \"timestamp\": 1735871157, \"qname\": \"00:1a:2b:28:45:35:3f\", \"qtype\": \"A\", \"qclass\": \"IN\", \"source\": \"mirror\", \"qip\": \"185.237.49.209\", \"qport\": 53, \"rip\": \"158.24.224.230\", \"rport\": 53, \"protocol\": \"udp\", \"delay\": \"591\", \"rcode\": \"3\", \"type\": \"2\", \"qqr\": true, \"qaa\": true, \"qtc\": false, \"qrd\": true, \"qra\": false, \"qad\": true, \"qcd\": false, \"qdo\": true, \"rqr\": true, \"raa\": false, \"rtc\": true, \"rrd\": false, \"rra\": true, \"rad\": false, \"rcd\": false, \"rdo\": true, \"rrr1\": false, \"rrr2\": false, \"rrr3\": true, \"view\": \"admin\", \"anonymized\": true, \"nanosec\": 1735871157253000000, \"pid\": 60389, \"cid\": \"77\", \"tid\": 1}",
"resource": {...},
"attributes": {
"decoded_body": "{\"opcode\": 2, \"timestamp\": 1735871157, \"qname\": \"00:1a:2b:28:45:35:3f\", \"qtype\": \"A\", \"qclass\": \"IN\", \"source\": \"mirror\", \"qip\": \"185.237.49.209\", \"qport\": 53, \"rip\": \"158.24.224.230\", \"rport\": 53, \"protocol\": \"udp\", \"delay\": \"591\", \"rcode\": \"3\", \"type\": \"2\", \"qqr\": true, \"qaa\": true, \"qtc\": false, \"qrd\": true, \"qra\": false, \"qad\": true, \"qcd\": false, \"qdo\": true, \"rqr\": true, \"raa\": false, \"rtc\": true, \"rrd\": false, \"rra\": true, \"rad\": false, \"rcd\": false, \"rdo\": true, \"rrr1\": false, \"rrr2\": false, \"rrr3\": true, \"view\": \"admin\", \"anonymized\": true, \"nanosec\": 1735871157253000000, \"pid\": 60389, \"cid\": \"77\", \"tid\": 1}"
}
}
Statement
set(attributes["opcode"], Substring(attributes["decoded_body"], 11, 1))
Output
{
"_type": "log",
"timestamp": 1735871555160,
"body": "{\"opcode\": 2, \"timestamp\": 1735871157, \"qname\": \"00:1a:2b:28:45:35:3f\", \"qtype\": \"A\", \"qclass\": \"IN\", \"source\": \"mirror\", \"qip\": \"185.237.49.209\", \"qport\": 53, \"rip\": \"158.24.224.230\", \"rport\": 53, \"protocol\": \"udp\", \"delay\": \"591\", \"rcode\": \"3\", \"type\": \"2\", \"qqr\": true, \"qaa\": true, \"qtc\": false, \"qrd\": true, \"qra\": false, \"qad\": true, \"qcd\": false, \"qdo\": true, \"rqr\": true, \"raa\": false, \"rtc\": true, \"rrd\": false, \"rra\": true, \"rad\": false, \"rcd\": false, \"rdo\": true, \"rrr1\": false, \"rrr2\": false, \"rrr3\": true, \"view\": \"admin\", \"anonymized\": true, \"nanosec\": 1735871157253000000, \"pid\": 60389, \"cid\": \"77\", \"tid\": 1}",
"resource": {...},
"attributes": {
"decoded_body": "{\"opcode\": 2, \"timestamp\": 1735871157, \"qname\": \"00:1a:2b:28:45:35:3f\", \"qtype\": \"A\", \"qclass\": \"IN\", \"source\": \"mirror\", \"qip\": \"185.237.49.209\", \"qport\": 53, \"rip\": \"158.24.224.230\", \"rport\": 53, \"protocol\": \"udp\", \"delay\": \"591\", \"rcode\": \"3\", \"type\": \"2\", \"qqr\": true, \"qaa\": true, \"qtc\": false, \"qrd\": true, \"qra\": false, \"qad\": true, \"qcd\": false, \"qdo\": true, \"rqr\": true, \"raa\": false, \"rtc\": true, \"rrd\": false, \"rra\": true, \"rad\": false, \"rcd\": false, \"rdo\": true, \"rrr1\": false, \"rrr2\": false, \"rrr3\": true, \"view\": \"admin\", \"anonymized\": true, \"nanosec\": 1735871157253000000, \"pid\": 60389, \"cid\": \"77\", \"tid\": 1}",
"opcode": "2"
}
}