[FEATURE] Add substring expression functions (substringAfter, substringBefore, substringAfterLast, substringBeforeLast) #6612
Description
Is your feature request related to a problem? Please describe.
The expression language has no way to extract a portion of a string by delimiter. Existing string processors (replace_string, split_string, trim_string, etc.) mutate fields in-place but cannot produce a value for assignment via value_expression in
add_entries.
For example, given a field containing "/app/src/main.py", there is no way to extract "main.py", "main", or "py" and assign them to new fields using expressions.
Describe the solution you'd like
Four new expression functions that extract substrings relative to a delimiter:
| Function | Description | Example | Result |
|---|---|---|---|
| substringAfter(s, d) | Everything after the first occurrence of d | substringAfter("key=a=b", "=") | "a=b" |
| substringBefore(s, d) | Everything before the first occurrence of d | substringBefore("key=a=b", "=") | "key" |
| substringAfterLast(s, d) | Everything after the last occurrence of d | substringAfterLast("/app/src/main.py", "/") | "main.py" |
| substringBeforeLast(s, d) | Everything before the last occurrence of d | substringBeforeLast("/app/src/main.py", "/") | "/app/src" |
Behavior:
- Both arguments can be a JSON Pointer (resolved from the event) or a string literal.
- If the delimiter is not found, the original string is returned.
- If either argument is null, null is returned.
- Usable anywhere expressions are accepted: value_expression, add_when, delete_when, conditional routing.
Example: Derive file name and extension
- add_entries:
entries:
- key: "extension"
value_expression: 'substringAfterLast(/path, ".")'
- key: "_filename"
value_expression: 'substringAfterLast(/path, "/")'
- add_entries:
entries:
- key: "name"
value_expression: 'substringBeforeLast(/_filename, ".")'Given /path = "/app/src/main.py", this produces extension = "py", name = "main".
Describe alternatives you've considered (Optional)
- Using split_string + index access: split_string splits a field in-place into an array but provides no way to select a specific element from the result and assign it to a new field via an expression.
- Using grok or dissect processors: These can parse strings into named fields but are heavier-weight, require pattern definitions, and don't compose naturally inside value_expression for inline field derivation.
- A single generic substring function with mode parameter: Four named functions are more readable and self-documenting than substring(/path, "/", "after", "last"). They also follow the convention of Apache Commons Lang's StringUtils which uses the
same four function names. - The expression grammar's FunctionArg rule only accepts JSON Pointers or string literals — not other function calls. Nested calls like substringBefore(substringAfterLast(/path, "/"), ".") are not supported. Intermediate fields must be used instead (as shown in the example).
Additional context
N/A