0 Replies Latest reply on Jul 20, 2017 12:03 PM by tpmobley

    SubStringBefore in Rules

    tpmobley

      This is related to another question, I'm still working on resolving. Until that is resolved though, I was wondering about using part of a field when making rules.

       

      Specifically, for my Cisco syslogs, the EventInfo field shows the hostname followed by a bunch of other information. For example:

      EventInfo: SWITCHNAME: Jul 20 12:45:16.756 UTC %FACILITY-SEVERITY-MNEMONIC: Message-text

       

      What I want to do is use only the hostname portion in the Action box in Rule Creator. ...I know I can drag "EventInfo" to one of the $parameter fields, but how do I tell it to only use what is before the first colon (i.e. "SWITCHNAME")?

       

      ...in other programs I would use the substringAfter or substringBefore function to do this. Does such a thing exist in LEM?

       

      Thank you!