Break Events

This topic describes how to use the function in the .

Description

The Break Events function breaks grouped events into multiple events using a valid regular expression as the delimiter.

Function Input: collection<record<R>>; This function takes in collections of records with schema R.
Function Output: collection<record<R>>; This function outputs collections of records with schema R.

The required fields are in bold font.

break_events: content=<field>; delimiter=<regular-expression>; [output=<newfield>]

content: Syntax: <field>; Description: The field whose values will be broken into single events.

delimiter: Syntax: <regular-expression>; Description: A Java regular expression delimiter used to break events.

output: Syntax: <string>; Description: The name of the output field in the new event.; Default: body

Examples of common use cases follow. These examples assume that you have added the function to your pipeline.

This example assumes that you are in the SPL View.

...| break_events content=host delimiter= /\n/ output=new_field|...;

This example assumes that you are in the SPL View.

... | break_events output=new_field content=cast(body, "string") delimiter=/\n/ |...;

This example assumes that you are in the SPL View.

... | break_events content=cast(body, "string") delimiter=/,/ |...;