Skip to content

String expressions¤


  • !IN: Tests if a string contains a substring.
  • !STARTSWITH: Tests whether a string starts with a selected prefix.
  • !ENDSWITH: Tests whether a string ends with a selected suffix.
  • !SUBSTRING: Extracts part of a string.
  • !LOWER, !UPPER: Transforms a string into lowercase / uppercase.
  • !CUT: Cuts the string and returns a selected part.
  • !SPLIT, !RSPLIT: Splits a string into a list.
  • !JOIN: Joins a list of strings.


The !IN expression is used to check if a string what exists in a string where or not.

Type: Mapping.


what: <...>
where: <...>

Evaluate to true if it finds a substring what in the string where and false otherwise.


what: "Willy"
where: "John Willy Boo"

Check for a presence of the substring "Willy" in the where value. Returns true.

Multi-string variant¤

There is a special variant on !IN operator for checking if any of strings provided in what value (a list in this case) is in the string. It is efficient, optimized implementation of the multi-string matcher.

  - "John"
  - "Boo"
  - "ly"
where: "John Willy Boo"

This is very efficient way of checking if at least one substring is present in the where string. It provides Incremental String Matching algorithm for fast pattern matching in strings. It makes it an ideal tool for complex filtering as a standalone bit or an optimization technique.

Example of !REGEX optimization by multi-string !IN:

    - !IN
      where: !ARG message
      - "msgbox"
      - "showmod"
      - "showhelp"
      - "prompt"
      - "write"
      - "test"
      - ""
    - !REGEX
      what: !ARG message
      regex: "(msgbox|showmod(?:al|eless)dialog|showhelp|prompt|write)|(test[0-9])|([a-z]@mail\.com)

This approach is recommended from applications in streams, where you need to filter an extensive amount of the data with assumption that only a smaller portion of the data matches the patters. An application of the !REGEX expression directly will slow processing down significantly, because it is complex regular expression. The idea is to "pre-filter" data with a simpler but faster condition so that only a fraction of the data reaches the expensive !REGEX. The typical performance improvement is 5x-10x.

For that reason, the !IN must be a perfect superset of the !REGEX, it means:

  • !IN -> true, !REGEX -> true: true
  • !IN -> true, !REGEX -> false: false (this should be a minority of cases)
  • !IN -> false, !REGEX -> false: false (prefiltering, this should be a majority of cases)
  • !IN -> false, !REGEX -> true: this combination MUST BE avoided, adopt the !IN and/or !REGEX accordingly.


Returns true if what string begins with prefix.

Type: Mapping


what: <...>
prefix: <...>


what: "FooBar"
prefix: "Foo"

Multi-string variant¤

Work in progress

Not implemented yet.

what: <...>
prefix: [<prefix1>, <prefix2>, ...]

In multi-string variant, a list of strings is defined. The expression evaluates to true if at least one prefix string matches the start of the what string.


Returns true if what string ends with postfix.

Type: Mapping


what: <...>
postfix: <...>


what: "autoexec.bat"
postfix: ".bat"

Multi-string variant¤

Work in progress

Not implemented yet.

what: <...>
postfix: [<postfix1>, <postfix2>, ...]

In multi-string variant, a list of strings is defined. The expression evaluates to true if at least one postfix string matches the end of the what string.


Return part of the string what, in between from and to index.

Type: Mapping


what: <...>
from: <...>
to: <...>


The first character of the string is located on position from=0.


what: "FooBar"
from: 1
to: 3

Returns oo.


Transform a string or list of strings input to lowercase format.

Type: Mapping


what: <...>


what: "FooBar"

Returns foobar.


what: ["FooBar", "Baz"]

Returns list of values ["foobar", "baz"].


Type: Mapping


what: <...>


what: "FooBar"

Returns FOOBAR.


Cut the string by a delimiter and return the piece identified by field index (starts with 0).

Type: Mapping


what: <string>
delimiter: <string>
field: <int>

The argument value string will be split using a delimiter argument. The argument field specifies a number of the split strings to return, starting with 0.
If the negative field is provided, then field is taken from the end of the string, for example -2 means the second last substring.


what: "Apple,Orange,Melon,Citrus,Pear"
delimiter: ","
field: 2

Will return value "Melon".


what: "Apple,Orange,Melon,Citrus,Pear"
delimiter: ","
field: -2

Will return value "Citrus".


Splits a string into a list of strings.

Type: Mapping


what: <string>
delimiter: <string>
maxsplit: <number>

The argument what string will be split using a delimiter argument. An optional maxsplit arguments specifies how many splits to do.


what: "hello,world"
delimiter: ","

The result is a list: ["hello", "world"].


Splits a string from the right (end of the string) into a list of strings.

Type: Mapping


what: <string>
delimiter: <string>
maxsplit: <number>

The argument what string will be split using a delimiter argument. An optional maxsplit arguments specifies how many splits to do.


Type: Mapping


  - <...>
  - <...>
delimiter: <string>
miss: ""

Default delimiter is space (" ").

If the item is None, then the value of miss parameter is used, by default it is empty string. If miss is None and any of items is None, the result of the whole join is None.


  - "Foo"
  - "Bar"
delimiter: ","